Technical Guides By Product VMware Workspace ONE

Consumer Simple, Enterprise Secure: BitLocker Encryption Lifecycle Management

VMware Workspace ONE, powered by VMware AirWatch unified endpoint management (UEM) technology, simplifies the traditionally complex process of enterprise device encryption.

Instead of relying on third-party encryption solutions, AirWatch UEM leverages native functionality. Using APIs, AirWatch UEM aggregates native functionality into a single management touchpoint: The AirWatch console. Consolidating critical settings into the AirWatch console eliminates the overhead of juggling multiple encryption solutions. Instead, AirWatch UEM enables management of the entire encryption lifecycle for a comprehensive set of operating systems (OSs) and associated endpoints.

Today’s post covers encryption management for Windows 10 devices—from BitLocker encryption and enforcement to suspension and key recovery.

Current Device Encryption Challenges VMware AirWatch Solutions
Additional License Costs With Third-Party Tools Eliminate Third-Party License Cost
Another Third-Party Agent for Encryption Single Agent for All Advanced Management Capabilities
Inability to Enforce Encryption Locally on the Device Local Enforcement for Off-Network & Off-Domain Devices
No Separation of Duties for Admins Granular, Role-Based Access Controls
Complex Management via GPOs/Scripts Simple Profile With Comprehensive Controls
Recovery Key Management Auto Escrowing of Recovery Keys
High Help Desk Costs for End-User Recovery Self-Service Portal Key Retrieval

Supported OS Models for Out-of-the-Box Encryption

The major OS editions—Pro, Enterprise and Education—support Out-of-the-Box BitLocker encryption. For more information, you can compare Windows 10 editions or reach out to a Microsoft rep.

Consumer-Simple Encryption

A positive end-user experience provides an undisputed value to security initiatives. At the end of the day, IT must remain as focused on enablement as on security. After all, what does security matter if end users cannot do their jobs?

When it comes to BitLocker encryption for Windows 10 devices, a security by design approach provides the best user experience. Security by design implements device encryption in a way that feels like a non-disruptive, natural part of the device experience.

Certain BitLocker security settings, such as pre-boot authentication and recovery mode, require end-user interaction. While these settings enhance the overall security of the device, these could potentially become a user experience nightmare.

For this reason, make regaining device access an intuitive, self-service process. AirWatch UEM can help IT craft this experience.

Pre-Boot Authentication Policy & BitLocker Recovery Mode

At first boot, the Pre-Boot Authentication Policy prompts end users to create a PIN or password that meets corporate complexity requirements. After initial setup, end users enter their self-generated PIN or password to trigger decryption.

BitLocker Recovery Mode locks devices from users after a set number of authentication attempts. The majority of the people maxing out their authentication attempts are forgetful end users, not hackers.

The AirWatch Self-Service Portal helps users help themselves. Forgetful end users can use the portal to retrieve a recovery key, and regain device access. Watch how it works.

Enterprise-Secure Devices

In today’s IT security landscape, it’s a hard requirement to protect data at rest and in transit. With that in mind, note that BitLocker encrypts data at rest on Windows 10 devices.

The typical approach for protecting data at rest involves securing corporate devices with a password and with encryption. A password acts as a padlock that controls access to important files. Encryption scrambles the file’s data, making it unreadable to any intruders that get past the locks.

BitLocker Encryption Methods

Encrypted files require their own unique key for decryption and access. BitLocker currently uses Advanced Encryption Standard (AES), which breaks data into blocks before encrypting it. Since all the blocks are all the same size, padding may occur on the last block.

BitLocker supports two AES ciphers, Cipher Block Chaining (CBC) and XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing (XTS)

  • Logically XORs unencrypted blocks with the previous block’s cipher text
  • Ensures each block generates different outputs after encryption
  • Uses a random initialization vector for the first block
  • Supports key lengths of either 128-bit or 256-bit
  • Reduces the predictability of plain text by manipulating the cipher text
  • Additional tweak key improves permutation
  • FIPS-compliant
  • Available for Windows 10 1511 & above
  • Supports key lengths of either 128-bit or 256-bit.

Pre-Boot Authentication Policy

A password protection policy provides a first line of defense for corporate devices. However, since authentication prompts appear after the operating system boots up, data at rest remains accessible and at risk. To address this vulnerability, configure a pre-boot authentication policy.

BitLocker Recovery Mode

In addition to the pre-boot authentication policy, configure devices to enter BitLocker recovery mode after a certain number of failed authentication attempts. Locking devices into recovery mode protects from brute force attacks by malicious users.

Rapid Key Retrieval

An employee’s organizational role determines their permissions and level of access within the AirWatch admin console. An end user may have up to three 48-character BitLocker recovery keys.

BitLocker Encryption Personal Recovery Key

  • Unique for every device
  • Enables end users to self-service device lockout remediation
  • Displays in the AirWatch Self-Service Portal
BitLocker Encryption Static Recovery Key

  • Shared by a group of devices
  • Enables IT admins to unlock a group of devices
  • Configure the key’s auto-rotation period in the Encryption profile
BitLocker Encryption Grace Period Recovery Key

  • Previous static key, shared by a group of devices
  • Enables a grace period for lower-level AirWatch admins to learn the new shared key

As an additional layer of protection, the AirWatch console records all attempts to view recovery keys in event logs. To view these logs, you have a few options:

  • Navigate to Hub > Reports & Analytics > Events > Console Events in the AirWatch console
  • Integrate Syslog with AirWatch UEM and export the logs to your preferred SIEM solution

BitLocker Security Configurations

AirWatch UEM manages the full encryption lifecycle for Windows 10 devices. Create an Encryption profile to secure Windows 10 device data with BitLocker encryption. Then, enforce encryption by configuring a compliance policy that includes encryption status as part of the device’s general security posture.

[learn_more caption=”Configure BitLocker Encryption”]

  1. Navigate to Devices > Profiles > List View > Add > Add Profile > Windows > Windows Desktop > Device Profile.
  2. Configure the General profile settings. These settings determine how the profile deploys and who receives it. For more information on General settings, see “Add General Profile Settings.”
  3. Select the Encryption profile and configure the settings:
    Setting Description
    Encrypted Volume Use the drop-down menu to select the type of encryption as follows:

    • Complete Hard Disk: Encrypts the entire hard disk on the device, including the System Partition where the OS is installed.
    • System Partition: Encrypts a partition or drive in the same location Windows is installed and from which it boots.
    Encryption Method Select the System Default (varies per device) or any of the supported encryption algorithms.
    Default to the System Encryption Method Enable as a failsafe for devices that do not support the selected encryption method.

    For example, Windows 10 1507 and below do not support XTS encryption. If enabling XTS, select Default to System Encryption Method as a failsafe for Windows versions that do not support XTS.

    Only Encrypt Used Space During Initial Encryption Enable this setting to reduce the time required for encryption by only encrypting drive space in use. Keep in mind, the drive’s unused space remains unencrypted, potentially placing confidential data at risk.
    Recovery Key URL Enter the URL to display on the lock screen directing end users to get the recovery key. Specify the Self-Service Portal URL, using the format:

    https://<Devices Services Hostname>/MyDevice

    BitLocker Authentication Settings
    Authentication Mode Select the method for authenticating access to a BitLocker encrypted device.

    • TPM: Uses the device’s Trusted Platform Module; requires a TPM on the device
    • Password: Uses a password to authenticate
    Enforce Encryption PIN on Login Select this setting to require pre-boot authentication. This locks out the OS at startup and auto-resume, and requires a PIN to unlock devices.
    Use Password if TPM Not Present Select this setting to use a password as a fallback if TPM is unavailable. If deselected, devices that do not have TPM do not encrypt.
    Minimum Password Length Configure password length to match organizational complexity requirements.

    Settings apply to the Password Authentication Mode, and the setting Use Password if TPM Not Available.

    BitLocker Static Recovery Key Settings
    Create Static BitLocker Password Select to create a shared key for a group of devices. This simplifies key recovery for IT personnel who use the shared key to unlock devices.
    BitLocker Recovery Password Select the Generate icon to manually update the shared recovery key.
    Rotation Period Configure manual or automatic updates for the key by specifying the number of days in a rotation period.

    • Automatic Updates: Enter a value greater than 0 to create a rotation schedule.
    • Manual Updates: Enter 0 to opt out of the rotation schedule.
    Grace Period Enter the number of days after rotation that the previous recovery key still works.
    BitLocker Suspend
    Enable BitLocker Suspend Suspend BitLocker encryption during maintenance periods so that devices can reboot without end-user interaction. To preserve the end-user experience, it’s especially important to enable BitLocker Suspend during scheduled maintenance for kiosk or shared devices.
    Suspend BitLocker Type Select the type of suspension.

    • Schedule: Suspend BitLocker during a specific time period that repeats daily or weekly.
    • Custom: Suspend BitLocker during a specific time period.
    BitLocker Suspend Start Time Enter the time to start BitLocker suspension.
    BitLocker Suspend End Time Enter the time to end BitLocker suspension.
    Scheduled Repeat Type Configure the scheduled suspension to repeat daily or weekly. If you select weekly, select the days of the week to repeat the schedule.
  4. Select Save & Publish to push the profile to devices.


In Conclusion

AirWatch UEM automates the entire encryption process, from enabling BitLocker to enforcing encryption on devices. Configure a BitLocker profile in the AirWatch console to enable BitLocker on devices. Then, enforce encryption by configuring a compliance policy that includes encryption status as part of the device’s general security posture.

Stay on the lookout for future posts from about all things Windows 10: end-to-end security, Windows 10 with VMware Workspace ONE and more!