Reference: Windows encryption management

Encryption management policies encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more information, see Microsoft Documentation: BitLocker.

Database configuration is not required for Tanium Cloud.

Endpoint requirements

  • Windows 7 SP1 Enterprise or Ultimate*

    Windows 7 endpoints must have a TPM chip to use BitLocker.

  • Windows 8.1 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro
  • Windows 11 Enterprise or Pro

* Windows 7 SP1 requires Microsoft KB2758857.

For more information about Windows endpoint requirements and TPM compatibility, see Microsoft Documentation: BitLocker.

Configuration requirements

You must complete the following steps to configure your environment to use encryption management policies:

Database configuration is not required for Tanium Cloud. See Tanium Cloud documentation for requirement information.

Choose where to host the database

Before you create and enforce encryption management policies, you must create a database to store the recovery keys. That database can be hosted on the Tanium Module Server (TMS) or you can host it on your own server (Self hosted). Hosting the database on the TMS requires no additional configuration. If you host the database on your own server, refer to the next section for further information.

Create a self hosted database to store the recovery keys

Enforce provides fields to help you create a secure connection to a Postgres or Microsoft SQL Server database to store the recovery keys.

recovery key Database Requirements

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Specify the required information to securely connect the database to the Tanium Module Server in the Overview > Settings > Endpoint Encryption tab in the Enforce workbench. For more information, see Configure Endpoint Encryption settings.

See User role requirements for roles that can view the recovery keys for users on the Endpoint Encryption page in the Enforce workbench. This page lists all endpoints that are encrypted through an Enforce encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.

Recovery keys are used to unlock the drive if a user forgets the PIN or password. The recovery key ID displays on the BitLocker recovery page. The user can then retrieve the recovery key by providing the recovery key ID to the recovery portal, which you set up as part of the BitLocker configuration.

Configure the database to allow only connections from the Tanium Module Server.

Install the End-User Notifications service and initialize endpoints

Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you can enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.

Install and configure Direct Connect

Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the recovery key database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium Direct Connect User Guide: Installing Direct Connect.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.

Install and configure the recovery portal

The recovery portal is an optional self-service website that users can access if they forget their PIN or password. This website is typically Internet-facing in a DMZ so that users who forget their PIN or password can access it from another device. For more information, see Reference: Encryption management recovery portal.

Create and enforce the encryption management policy

Create the policy and enforce it on endpoints. For more information, see Create a BitLocker policy.

Endpoint workflow

After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.

Prepare the drive for encryption

After the policy is enforced on an endpoint, a notification displays to instruct the user to reboot the computer to prepare the drive for encryption. The user can dismiss this message. It displays every hour until the user reboots the computer.

Configure the text for this notification in the Reboot Computer section of the BitLocker policy.

This action is the only BitLocker action that does not automatically repeat if it fails because manual intervention is usually required to recover from a failure during drive preparation. If this action fails on an endpoint, a failure message displays to the user, and the policy is reported as unenforced with Failed to prepare volume for encryption as the enforcement error.

Configure the PIN or password

This stage occurs only if you configured the policy for TPM + PIN or Allow BitLocker to run without a compatible TPM.

After the computer reboots, the user is prompted within five minutes to set a PIN or password. Configure the text for this message in the Enter New Credentials section of the BitLocker policy.

After the user enters a PIN or password and clicks Create PIN, a notification displays to alert the user that encryption begins after the next reboot. Configure the text for this message in the Encrypt Hard Drive section of the BitLocker policy. Depending on the operating system configuration, the user might also see a Windows notification that encryption begins after the computer is rebooted.

Encryption occurs

The next time that the user reboots the computer, they are prompted to enter the PIN or password if one was set. Encryption begins. The encryption process is not disruptive. The user sees an icon in the system tray that indicates that the drive is being encrypted, but the user can continue to work. If needed, the user can right click the system tray icon and choose to pause the encryption process.

Behavior at subsequent starts / reboots

After encryption completes, users are prompted for the PIN or password each time they start or reboot the computer, if one was set. In the boot screen, users see the instructions for unlocking the drive using the recovery the key if they forget their PIN or password. Configure the text for this pre-boot message in the Key Recovery section of the BitLocker policy.

User forgets the PIN or password

When a user is prompted to enter the PIN or password, there is an instruction to Press Esc for BitLocker recovery. When the user presses the Esc key, the BitLocker recovery page displays. This page displays the text that you configured in the Key Recovery section of the BitLocker policy and the Recovery Key ID for the user.

Include a link to the recovery portal for this text.

The user signs in to the recovery portal using the SAML authentication that you configured in the Recovery Portal tab. The user enters the number of characters of the recovery key ID that you set, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.

If a user forgets the PIN or password to sign in, you must provide the recovery key for that system by finding it in the Endpoint Encryption > BitLocker Recovery Keys page in the Enforce workbench.

After the drive is unlocked, the user is prompted to change the PIN or password within five minutes. The text for this prompt is hardcoded and does not need to be configured in the BitLocker policy. On subsequent starts or reboots, the user uses this new PIN or password to unlock the drive.

Suspend and resume BitLocker

During system maintenance or troubleshooting, you might need to temporarily suspend BitLocker. The key protectors are disabled when you suspend BitLocker, which allows you to bypass BitLocker without unencrypting the drive. You can resume BitLocker after you complete the maintenance or troubleshooting without having to encrypt the drive again.

Enforce includes these packages to suspend and resume BitLocker: Enforce - Suspend BitLocker and Enforce - Resume BitLocker.

Enforce - Suspend BitLocker

Use this package to suspend BitLocker on an endpoint. This package has one parameter, rebootcount. Use this parameter to specify the number of reboots before BitLocker automatically resumes. If you set this parameter to 0, BitLocker never automatically resumes and must be manually resumed by running the Enforce - Resume BitLocker package.

Enforce - Resume BitLocker

Use this package to resume BitLocker on an endpoint where it was previously suspended.

When you suspend BitLocker on an enforced endpoint, the BitLocker policy enforcement status is Unenforced with BitLocker has been suspended as the reason.

For more information about using actions to deploy packages to endpoints, see Tanium Console User Guide: Deploying actions.

Remove BitLocker encryption from an endpoint

Two steps are required to remove BitLocker encryption from an endpoint:

  1. Remove the BitLocker policy enforcement on the endpoint. For more information, see Remove an enforcement.
  2. Deploy an action to run the Enforce - Decrypt BitLocker package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.

This multi-step design is intentional so that encryption is not removed from a drive if an administrator inadvertently removes enforcement of the policy from an endpoint.

Export recovery keys

You can export endpoint encryption recovery keys to a CSV file to use for disaster recovery purposes. To export recovery keys, you must have the Disk Encryption Recovery Keys - Export permission. This permission is granted only to the Enforce Administrator and Enforce Operator roleroles by default.

The CSV file includes sensitive data. Ensure that you store this file in a secure location.

  1. From the Enforce menu, click Endpoint Encryption.
  2. Click the BitLocker Recovery Keys tab.
  3. Click Export to CSV. Read the warning about the contents of the file and click Confirm.