BitLocker Encryption for Windows Clients

BitLocker encrypts the hard drives on a Windows computer, and is an integral part of Windows.

Check Point BitLocker uses the Endpoint Security Management Server A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data., Client Agent and the Harmony Endpoint UI to manage BitLocker.

BitLocker Management is implemented as a Windows service component called Check Point BitLocker Management.

It runs on the client together with the Client Agent (the Device Agent).

Check Point BitLocker Management uses APIs provided by Microsoft Windows to control and manage BitLocker.

Configuration options:

Setting	Description
Initial Encryption	Encrypt entire drive - Recommended for computers that are in production and already have user data, such as documents and emails. Encrypt used disk space only - Encrypts only the data. Recommended for fresh Windows installations.
Drives to encrypt	All drives - Encrypt all drives and volumes. OS drive only - Encrypt only the OS drive (usually, C:\). This is the default.
Encryption algorithm	Windows Default - This is recommended. On Windows 10 or later, unencrypted disks are encrypted with XTS-AES-128. On encrypted disks, the encryption algorithm is not changed. XTS-AES-128 XTS-AES-256

Note - To take control of a BitLocker-encrypted device, the target device must have a Trusted Platform Module (TPM) module installed.

Taking Control of Unmanaged BitLocker Devices

You can do a takeover of BitLocker-encrypted devices that are not managed by Harmony Endpoint, and make them centrally managed. You can do this using BitLocker Management or Check Point Full Disk Encryption A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE..

To take control of unmanaged BitLocker devices using BitLocker Management:

Define and install a Full Disk Encryption policy with BitLocker Management. Follow these guidelines:

Define a Full Disk Encryption rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that applies to the entire organization or only to the entities that need BitLocker Management.
In BitLocker Encryption Settings, select Windows Default as the Encryption Algorithm. This is important because it leaves the existing BitLocker encryption in place. Selecting another algorithm explicitly may result in a re-encryption, if the existing algorithm does not match the algorithm in the policy. It is a good idea to avoid re-encryption because it can take a long time. The time it takes depends on the disk size, disk speed and PC hardware.

To take control of unmanaged BitLocker devices using Check Point Full Disk Encryption:

Follow the procedure for To take control of unmanaged BitLocker devices using BitLocker Management:.
After the devices are under Check Point BitLocker Management, define a rule with Check Point Full Disk Encryption that applies to the Entire Organization or only to the entities that need Check Point Full Disk Encryption. See Check Point Disk Encryption for Windows

Best Practice - When you change the encryption policy for clients from BitLocker Management to Check Point Full Disk Encryption, the disk on the client is decrypted and then encrypted. This causes the disk to be in an unencrypted state for some time during the process. We recommend that you do not change the encryption policy for entire organization in one operation. Make the change for one group of users at a time.