XenMobile BitLocker Policy for Windows 10 Desktop/Tablet

book

Article ID: CTX228160

calendar_today

Updated On:

Description

XenMobile BitLocker Policy for Windows 10 Desktop/Tablets

BitLocker is a disk encryption feature that is built into Windows 10. It can be controlled via MDM policy beginning in Windows 10 1703 build. The policy CSP is available at https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

Bitlocker policy settings configure what settings the user sees when going through BitLocker UI on device. The policy does not auto start encryption on device. The user will need to start the BitLocker wizard on device and the settings from policy from server will control what options are available to user.

BitLocker Policy

Windows Desktop/Tablet settings

'Require device to be encrypted' - Configure whether to prompt user to enable BitLocker encryption on device. If enabled the device will show a toast message after enrollment is completed. The message would say that enterprise requires the device to be encrypted. If not enabled the BitLocker policy settings will be applied on device but user will not be prompted to enable encryption. When user starts BitLocker encryption the UI options will be controlled by policy from XMS server.
'Configure encryption methods' - What encryption to use for a specific drive type. Drive types are
1. OS Drive - Recommended encryption algorithm is XTS-AES 128 0r 256 bit. We default to XTS-AES 128 bit.
2. Fixed drive - Recommended encryption algorithm is XTS-AES 128 0r 256 bit. We default to XTS-AES 128 bit.
3. Removable drive - Recommended encryption algorithm is AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in version of Windows 10 older than 1511. We default to AES-CBC 128-bit.
'Require additional authentication at startup' - Configure if admin wants to allow or not allow BitLocker on device that do not have TPM chip. Trusted Platform Module(TPM) is hardware based and provides security related functions. A TPM chip is secure crypto-processor that is designed to carry out cryptographic operations. It will be used to generate, store and limit use of cryptographic keys. More information about TPM is available at https://docs.microsoft.com/en-us/windows/device-security/tpm/trusted-platform-module-overview
1. On a device with no TPM chip BitLocker will require user to create a unlock password or startup key. The startup key will be store in USB drive which is necessary to be plugged into device during startup. Unlock password is minimum 8 characters.
2. On a device with TPM there are 4 unlock modes available.
  1. TPM only - Encryption keys are store in TPM chip. No additional unlock data needed from user. Device will automatically unlock during boot using the encryption key from TPM chip.
  2. TPM + PIN - PIN is 6-20 digit PIN which user needs to configure during BitLocker setup and provide during device startup.
  3. TPM + Key - Key will be stored in USB drive and user will need to connect the USB drive every time the device boots.
  4. TPM + PIN and Key
'Minimum PIN length' - if TPM + PIN is used on device. PIN length should be between 6 - 20.
'Configure OS drive recovery' - Configure what recovery mechanism is available to user if they don't have the unlock password or USB key.
1. Hide or show recovery options to user in BitLocker UI. If recovery options are hidden from user then they need to be saved to AD which means that device should be registered to AD otherwise the policy will fail.
2. Allow/require/not allow data recovery agent. This is cert-based data recovery agent that is added from either Group Policy Management Console or Local Group Policy Editor. This is done outside of BitLocker policy.
3. Allow/require/not allow user to save a copy of recovery key(256 bit) or password(48 digit) for drive recovery. The key or password is generated by BitLocker on device. User can only save a copy of it for later use.
4. Configure if machine has to be AD joined before starting BitLocker.
5. Configure if recovery information can be stored in AD.
Configure if default or custom recovery message and URL are to be shown to user when in BitLocker recovery mode. A custom message or a custom URL can be configured but both cannot be configured at same time.
'Configure fixed drive recovery' - Configure recovery options for BitLocker encrypted fixed drive on device. There is no toast message setting for fixed drives. A password or smart card is required to unlock drive during startup. The startup unlock settings are not part of policy but show in BitLocker UI when enabling BitLocker encryption on Fixed drive.
'Block write access to fixed drives not using BitLocker' - When enabled allow write to fixed drive only when fixed drive is encrypted with BitLocker.
'Block write access to removable drives not using BitLocker' - Configure if write access should be denied to removable drive if BitLocker is not enabled on that drive.
1. Configure if write access is allowed on other organization removable drives

BitLocker encryption mode once started on device cannot be modified by pushing different policy.

BitLocker unlock and recovery options UI configuration

On a device with BitLocker enabled when the device boots it will ask for unlock step. This happens even before operating system is loaded. Only after unlock is successful OS can load.

The unlock step can ask for

password(alpha numeric) from user on non-TPM device or
look for startup key on USB drive on TPM or non-TPM device or
a PIN(numeric) on TPM device.

If the unlock is not successul the device will enter recovery mode which will ask for one of the following

48 digit recovery password which user will need to type. This is generated by BitLocker and can be stored in a file or printed or saved in Microsoft cloud account.
256 bit key. This is a .bek file which can only be store on USB drive.

The 48 digit recovery password or 256 bit key is generated by BitLocker during encryption time. User can save it during encryption time and use it during recovery step.

Non-TPM device

Below lists the different unlock options for non-TPM device based on settings in 'OS drive recovery settings'( SystemDrivesRecoveryOptions in CSP)

In non-TPM device BitLocker will need an unlock password or key to unlock the OS drive. Operating system can boot only after OS drive is unlocked. This is separate from recovery key or password which will be required only when unlock operation has failed because user forgot the unlock password or user lost the USB drive containing the startup key. Unlock password or startup key cannot be stored in AD.

Unlock password or key is not specifically mentioned in the CSP. But recovery options setting controls what options to show for system unlock. Typically 2 options are available to user to unlock OS drive.

Unlock option 1

OS drive recovery

Allow 48 bit password
Allow 256 bit key

Unlock password or startup key. If user chooses password option then user will be asked for unlock password.

Unlock option 2

BitLocker will directly ask for unlock password if 256-bit recovery key is set to 'Do not allow'. No option to store startup key in USB will be available to unlock OS drive.

TPM device

Unlock options

Default options in BitLocker policy 'Require additional authentication at startup' not enabled 'Configure OS drive recovery' not enabled	BitLocker will use TPM for unlock at startup - no screen showed for this Recovery screen is shown below
'Require additional authentication at startup' enabled - default options below TPM - allow TPM + PIN - allow TPM + Key - allow TPM + PIN and Key - allow 'Configure OS drive recovery' not enabled	BitLocker will provide choice to user Insert USB flash drive - to store unlock key Let BitLocker automatically unlock my drive If USB option is selected it shows below screen to save the key If 'Let BitLocker automatically unlock my drive' option is selected there is no specific screen shown to use for this. BitLocker saves the unlock info in TPM and proceeds to recovery options screen. Recovery screen:
TPM - Require TPM + PIN - do not allow TPM + Key - do not allow TPM + PIN and Key - do not allow	BitLocker uses TPM for unlock at startup - No screen specific to this It shows the recovery screen based on OS drive recovery options
TPM - Allow - for either of 2 options below we will see this error in BitLocker wizard TPM + PIN - Require TPM + PIN and Key - Require For TPM device it does not seem possible to enable TPM + PIN or TPM +PIN and Key option on tablet using BitLocker MDM CSP. The tablet devices seems to prompt that pre-boot keyboard is not available on the device. It shows the error message even if USB keyboard was connected to device when running BitLocker.
TPM - allow TPM + Key - allow TPM + PIN - do not allow TPM + PIN and Key - do not allow	Unlock options screen show below. After this screen the recovery options screen is driven by OS drive recovery choices in policy
TPM - allow/require TPM + Key - require

Fixed drive unlock options

Fixed drive encryption is not dependent on TPM. So the flow is same for both TPM and non-TPM device.

Unlock options

Recovery options for both TPM and non-TPM devices

Recovery options are available to user after going through the unlock options screen.

48 digit recovery password can be saved to file or printed or to cloud account or Microsoft account. User will need to enter the password manually during system recovery. 'Print the recovery key' option actually prints the 48 digit recovery password.
256 bit recovery key can only be saved to USB drive. During recovery step the USB drive should be inserted in system and BitLocker will read the key from drive. 'Save to a USB flash drive' will save the recovery key to USB drive. This is the only option to save the recovery key.

Allow 48 digit recovery password Allow 256 bit recovery key Require 48 digit recovery password Allow 256 bit recovery key After going through unlock option user is presented with following screen.
Require 48 digit recovery password Do not allow 256 bit recovery key Allow 48 digit recovery password Do not allow 256 bit recovery key After going through unlock option user is presented with following screen.
Do not allow 48 digit recovery password Do not allow 256 bit recovery key BitLocker will not start and show this error
Allow 48 digit recovery password Require 256 bit recovery key Do not allow 48 digit recovery password Require 256 bit recovery key Require 48 digit recovery password Require 256 bit recovery key After going through unlock option user is presented with following screen.
Do not allow 48 digit recovery password Allow 256 bit recovery key After going through unlock option user is presented with following screen.
Require 48 digit recovery password Do not allow 256 bit recovery key Hide recovery options in UI Device not enrolled to AD BitLocker shows this error on start
Do not allow 48 digit recovery password Require 256 bit recovery key Hide recovery options in UI Device not enrolled to AD BitLocker shows this error on start
Allow 48 digit recovery password Do not allow 256 bit recovery key Hide recovery options in UI Device not enrolled to AD Do not allow 48 digit recovery password Allow 256 bit recovery key Hide recovery options in UI Device not enrolled to AD BitLocker shows this error on start