Reference: Encryption management

Encryption management policies encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more information about BitLocker Drive Encryption, see Microsoft: BitLocker.

Endpoint requirements

  • Windows 7 Enterprise or Ultimate

    Windows 7 endpoints must have a TPM chip to use BitLocker.

  • Windows 8 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro

For more detailed Windows endpoint requirements, including TPM compatibility, see Microsoft: BitLocker.

Configuration requirements

You must complete the following steps to configure your environment to use encryption management policies:

Detailed steps are provided in the subsequent sections.

Create a Postgres database to store the recovery keys

Before you create and enforce encryption management policies, you must create a Postgres database to store the recovery keys. Specify the Postgres connection string on the Endpoint Encryption tab in the Protect settings. For more information, see Configure endpoint encryption settings.

Any user with the Protect Administrator or Protect Recovery Key Viewer role can view the recovery keys for users on the Endpoint Recovery page. This page lists all endpoints that are encrypted through a Protect encryption management policy. Select an endpoint and click Show Recovery Key to view the Recovery Key ID and Recovery Key for that endpoint.

Recovery keys are used to unlock the drive if a user forgets the PIN or password. The recovery key ID displays on the BitLocker recovery page.

As a best practice, configure the Postgres database to allow only connections from the Module Server.

Configure the endpoint encryption settings

Specify the connection details for the Postgres database on the Endpoint Encryption tab in the Protect settings. For more information, see Configure endpoint encryption settings.

Install the End-User Notifications service and initialize endpoints

Encryption management policies use the End-User Notifications service to display notifications throughout the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies. For more information, see Tanium End-User Notifications User Guide: Installing End-User Notifications.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the End-User Notifications service is listed as the enforcement failure reason.

Install and configure Direct Connect

Encryption management policies use Direct Connect to transfer encryption keys securely from the client to the Postgres database during the encryption process. This service must be installed and initialized on endpoints before you enforce encryption management policies.

If this service is not installed and pushed out to endpoints, the policy fails to enforce. In this scenario, the Direct Connect service is listed as the enforcement failure reason.

Create and enforce the encryption management policy

Create the policy and enforce it on endpoints. For more information, see Create a BitLocker policy.

Endpoint workflow

After the policy is enforced and pushed out to endpoints, the encryption process takes place in several stages.

Prepare the drive for encryption

After the policy is enforced on an endpoint, a notification displays to instruct the user to reboot the computer to prepare the drive for encryption. The user can dismiss this message. It displays every hour until the user reboots the computer.

Configure the text for this notification in the Reboot Computer section of the BitLocker policy.

This action is the only BitLocker action that does not automatically repeat if it fails because manual intervention is usually required to recover from a failure during drive preparation. If this action fails on an endpoint, a failure message displays to the user, and the policy is reported as unenforced with Failed to prepare volume for encryption as the enforcement error.

Configure the PIN or password

This stage occurs only if you configured the policy for TPM + PIN or Allow BitLocker to run without a compatible TPM.

After the computer reboots, the user is prompted within five minutes to set a PIN or password. Configure the text for this message in the Enter New Credentials section of the BitLocker policy.

After the user enters a PIN or password and clicks Create PIN, a notification displays to alert the user that encryption will begin after the next reboot. Configure the text for this message in the Encrypt Hard Drive section of the BitLocker policy. Depending on the operating system configuration, the user might also see a Windows notification that encryption will begin after the computer is rebooted.

Encryption occurs

The next time that the user reboots the computer, they are prompted to enter the PIN or password if one was set. Encryption begins. The encryption process is not disruptive. The user sees an icon in the system tray that indicates that the drive is being encrypted, but the user can continue to work. If needed, the user can right click the system tray icon and choose to pause the encryption process.

Behavior at subsequent starts / reboots

After encryption completes, users are prompted for the PIN or password each time they start or reboot the computer, if one was set. In the boot screen, users see the instructions for unlocking the drive using the recovery the key if they forget their PIN or password. Configure the text for this pre-boot message in the Key Recovery section of the BitLocker policy.

User forgets the PIN or password

When a user is prompted to enter the PIN or password, there is an instruction to Press Esc for BitLocker recovery. When the user presses Esc, the BitLocker recovery page displays. This page displays the text that you configure in the Key Recovery section of the BitLocker policy and the user's Recovery key ID.

The user logs in to the recovery portal using the LDAP authentication that you configured in the ecosystem.config.js file. The user enters the number of characters of the recovery key ID that you set in the MINIMUM_KEY_LENGTH parameter in the ecosystem.config.js file, selects the recovery key ID from the autocomplete results, and clicks Get Recovery Key. The user can use this recovery key to unlock the drive.

After the drive is unlocked, the user is prompted to change the PIN or password within five minutes. The text for this prompt is hardcoded and does not need to be configured in the BitLocker policy. On subsequent starts or reboots, the user uses this new PIN or password to unlock the drive.

Suspending and resuming BitLocker

During system maintenance or troubleshooting, you might need to temporarily suspend BitLocker. The key protectors are disabled when you suspend BitLocker, which allows you to bypass BitLocker without unencrypting the drive. You can resume BitLocker after you complete the maintenance or troubleshooting without having to encrypt the drive again.

Protect 2.0.2 and later includes these packages to suspend and resume BitLocker: Protect - Suspend BitLocker and Protect - Resume BitLocker.

Protect - Suspend BitLocker

Use this package to suspend BitLocker on an endpoint. This package has one parameter, rebootcount. Use this parameter to specify the number of reboots before BitLocker automatically resumes. If you set this parameter to 0, BitLocker never automatically resumes and must be manually resumed by running the Protect - Resume BitLocker package.

Protect - Resume BitLocker

Use this package to resume BitLocker on an endpoint where it was previously suspended.

When you suspend BitLocker on an enforced endpoint, the BitLocker policy enforcement Status is Unenforced with BitLocker has been suspended as the Reason.

For more information about using actions to deploy packages to endpoints, see Tanium Console User Guide: Deploying actions.

Removing BitLocker encryption from an endpoint

Two steps are required to remove BitLocker encryption from an endpoint:

  1. Remove the BitLocker policy enforcement on the endpoint. For more information, see Remove a policy enforcement.
  2. Deploy an action to run the Protect - Decrypt BitLocker package on the endpoint. For more information, see Tanium Console User Guide: Deploying actions.

This multistep design is intentional so that encryption is not removed from a drive if an administator inadvertently removes enforcement of the policy from an endpoint.

Last updated: 11/19/2019 7:45 PM | Feedback