Crossgrade Functionality

BitLocker Management supports Crossgrade Functionality in E82.20 which makes it possible to switch from Full Disk Encryption (in Classic Mode) to BitLocker Management and from BitLocker Management to Full Disk Encryption.

• Crossgrade requires that the existing encryption is replaced which is done via a full decryption and encryption sequence. This process requires that the machine be treated as being unencrypted.
• Crossgrade Functionality is initiated on the client when the policy is changed between Use BitLocker Management and Use Check Point Full Disk Encryption.

Crossgrade Functionality from Full Disk Encryption to BitLocker

From Full Disk Encryption (in Classic mode) to BitLocker Management:

1. A popup dialog displays on the client about the reboot to start the Full Disk Encryption decryption.

   

2. The dialog displays a second time when the decryption phase is complete.
3. BitLocker Management is active (with encryption) after the second reboot.

Crossgrade Functionality from BitLocker to Full Disk Encryption

From BitLocker Management to Full Disk Encryption:

1. BitLocker Management decryption starts when the policy change is received.
2. Decryption finishes and the transfer to Full Disk Encryption (Classic) starts.
3. To proceed with the installation of pre-boot, Full Disk Encryption needs to acquire users and the following dialog displays.

   

Takeover Unmanaged BitLocker Solutions

Takeover Unmanaged BitLocker into BitLocker Managed Solution

In this scenario, the organization has unmanaged BitLocker machines and wants to achieve centralized management using Check Point BitLocker Management.

Follow these steps:

1. Define a policy with BitLocker Management.
2. Select the Windows Default algorithm.
   • This will leave any existing BitLocker Encryption in place. Selecting another algorithm explicitly can result in a re-encryption if the existing algorithm does not match the algorithm in the policy.
   • In general, try to avoid re-encryption since it is a long process.

     Note - The time depends on the disk size, disk speed and PC hardware.

3. Deploy the policy to the entire organization or only to the parts that need BitLocker Management.
4. Install Check Point Endpoint Security with the Full Disk Encryption blade.

   Note - The Full Disk Encryption Blade contains both Full Disk Encryption (Classic) and BitLocker Management.

Takeover Unmanaged BitLocker into FDE Managed Solution

In this scenario, the organization has unmanaged BitLocker machines and wants to achieve centralized management and switch from BitLocker to Check Point FDE.

Follow these steps:

1. Complete the four steps listed above in the BitLocker Management scenario.

   Note - Make sure to select the Windows Default algorithm to avoid unnecessary decryption/encryption on the clients.

2. Once all the machines are under Check Point BitLocker Management, do a crossgrade from BitLocker to FDE
   1. Define a policy with Check Point Full Disk Encryption instead of BitLocker Management.
   2. Deploy the policy with Full Disk Encryption to the parts of the organization that should use Full Disk Encryption.
   3. A BitLocker decryption and FDE Encryption will follow.

      Note - This re-encryption will take some time and parts of the disk will be in clear text during the operation.