Reference: Windows encryption management
Encryption management policies encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more see Microsoft: BitLocker.
- Windows 7 Enterprise or Ultimate
- Windows 8 Enterprise or Pro
- Windows 10 Education, Pro Education, Enterprise, or Pro
Windows 7 endpoints must have a TPM chip to use BitLocker.
For more detailed Windows endpoint requirements, including TPM compatibility, see Microsoft: BitLocker.
You must complete the following steps to configure your environment to use encryption management policies:
Before you create and enforce encryption management policies, you must create a database to store the recovery keys. That database can be hosted on the Tanium Module Server (TMS) or you can host it on your own server (Self hosted). Hosting the database on the TMS requires no additional configuration. If you host the database on your own server, refer to the next section for further information.
Create a self hosted database to store the recovery keys
Enforce provides fields to help you create a secure connection to a Postgres or Microsoft SQL Server database to store the recovery keys.
recovery key Database Requirements
- CPU: 4 Cores
- RAM: 8 GB
- Hard Drive: 80 GB
Specify the information required to securely connect the database to the Tanium Module Server in the Overview > Settings > Endpoint Encryption tab in Enforce. For information, refer to Configure Endpoint Encryption settings.
Refer to User role requirements for roles that can view the recovery keys for users on the Enforce > Endpoint Encryption page. This page lists all endpoints that are encrypted through an Enforce encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.
Recovery keys are used to unlock the drive if a user forgets the PIN or password. The recovery key ID displays on the BitLocker recovery page. The user can then retrieve the recovery key by providing the recovery key ID to the recovery portal, which you set up as part of the BitLocker configuration.
As a best practice, configure the database to allow only connections from the Tanium Module Server.
Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.
If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.
Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the recovery key database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium Direct Connect User Guide: Installing Direct Connect.
If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.
Install and configure the recovery portal
The recovery portal is an optional self-service website that users can access if they forget their PIN or password. This website is typically Internet-facing in a DMZ so that users who forget their PIN or password can access it from another device.
Create and enforce the encryption management policy
Create the policy and enforce it on endpoints. For more information, see Create a BitLocker policy.
After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.
Prepare the drive for encryption
After the policy is enforced on an endpoint, a notification displays to instruct the user to reboot the computer to prepare the drive for encryption. The user can dismiss this message. It displays every hour until the user reboots the computer.
Configure the text for this notification in the Reboot Computer section of the BitLocker policy.
This action is the only BitLocker action that does not automatically repeat if it fails because manual intervention is usually required to recover from a failure during drive preparation. If this action fails on an endpoint, a failure message displays to the user, and the policy is reported as unenforced with Failed to prepare volume for encryption as the enforcement error.
Configure the PIN or password
This stage occurs only if you configured the policy for TPM + PIN or Allow BitLocker to run without a compatible TPM.
After the computer reboots, the user is prompted within five minutes to set a PIN or password. Configure the text for this message in the Enter New Credentials section of the BitLocker policy.
After the user enters a PIN or password and clicks Create PIN, a notification displays to alert the user that encryption will begin after the next reboot. Configure the text for this message in the Encrypt Hard Drive section of the BitLocker policy. Depending on the operating system configuration, the user might also see a Windows notification that encryption will begin after the computer is rebooted.
The next time that the user reboots the computer, they are prompted to enter the PIN or password if one was set. Encryption begins. The encryption process is not disruptive. The user sees an icon in the system tray that indicates that the drive is being encrypted, but the user can continue to work. If needed, the user can right click the system tray icon and choose to pause the encryption process.
Behavior at subsequent starts / reboots
After encryption completes, users are prompted for the PIN or password each time they start or reboot the computer, if one was set. In the boot screen, users see the instructions for unlocking the drive using the recovery the key if they forget their PIN or password. Configure the text for this pre-boot message in the Key Recovery section of the BitLocker policy.
User forgets the PIN or password
When a user is prompted to enter the PIN or password, there is an instruction to Press Esc for BitLocker recovery. When the user presses Esc, the BitLocker recovery page displays. This page displays the text that you configure in the Key Recovery section of the BitLocker policy and the user's Recovery key ID. As a best practice, this text should include a link to the recovery portal.
The user logs in to the recovery portal using the SAML authentication that you configured in the Recovery Portal tab. The user enters the number of characters of the recovery key ID that you set, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.
After the drive is unlocked, the user is prompted to change the PIN or password within five minutes. The text for this prompt is hardcoded and does not need to be configured in the BitLocker policy. On subsequent starts or reboots, the user uses this new PIN or password to unlock the drive.
During system maintenance or troubleshooting, you might need to temporarily suspend BitLocker. The key protectors are disabled when you suspend BitLocker, which allows you to bypass BitLocker without unencrypting the drive. You can resume BitLocker after you complete the maintenance or troubleshooting without having to encrypt the drive again.
Enforce includes these packages to suspend and resume BitLocker: Enforce - Suspend BitLocker and Enforce - Resume BitLocker.
Enforce - Suspend BitLocker
Use this package to suspend BitLocker on an endpoint. This package has one parameter, rebootcount. Use this parameter to specify the number of reboots before BitLocker automatically resumes. If you set this parameter to 0, BitLocker never automatically resumes and must be manually resumed by running the Enforce - Resume BitLocker package.
Enforce - Resume BitLocker
Use this package to resume BitLocker on an endpoint where it was previously suspended.
When you suspend BitLocker on an enforced endpoint, the BitLocker policy enforcement Status is Unenforced with BitLocker has been suspended as the Reason.
For more information about using actions to deploy packages to endpoints, see Tanium Console User Guide: Deploying actions.
Two steps are required to remove BitLocker encryption from an endpoint:
- Remove the BitLocker policy enforcement on the endpoint. For more information, see Remove a policy enforcement.
- Deploy an action to run the Enforce - Decrypt BitLocker package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.
This multi-step design is intentional so that encryption is not removed from a drive if an administrator inadvertently removes enforcement of the policy from an endpoint.
Last updated: 4/30/2021 6:06 PM | Feedback