Configuring a BitLocker Encryption Policy

To manage BitLocker encryption on Endpoint Security clients on Windows, configure the Full Disk Encryption Policy. You can use the default Full Disk Encryption rule Default Full Disk Encryption settings for the entire organization, change the action of the rule to Use BitLocker Management, and install the policy.

Alternatively, you can create a new rule and configure actions for a specific organizational unit.

Best Practices -

  1. When you change the encryption policy for clients from Check Point Full Disk Encryption to BitLocker Management, the disk on the client is decrypted and then encrypted. This causes the disk to be in an unencrypted state for some time during the process. We recommend that you do not change the encryption policy for entire organization in one operation. Make the change for one group of users at a time.

  2. Define the BitLocker policy before installing the Endpoint Security package on the client computers. This ensures that encryption will happen just one time, with BitLocker. It avoids Check Point FDE encryption followed by FDE decryption and BitLocker encryption.

  1. Open SmartEndpoint and go to the Policy tab.

  2. In the toolbar of the Policy tab, click Create a Rule .

    The Create Rule Wizard opens.

  3. Click Full Disk Encryption.

  4. Click Next.

  5. In the Select Entities page, select the computers for which you want to configure BitLocker encryption.

  6. Click Next.

  7. In the Change rule action settings page, click Encryption Engine, and select Use BitLocker Management.

    A warning message shows. Read it carefully.

  8. Click Yes.

    Two actions remain: Encryption Engine and Access Management.

  9. Edit the BitLocker Management policy: Click Use BitLocker Management and select Edit Shared Action.

  10. Configure these settings:

    Setting

    Options
    Initial encryption type
    • Encrypt entire drive - Recommended for computers that are in production and already have user data, such as documents and emails.
    • Encrypt used disk space only, to encrypt only the data. Recommended for fresh Windows installations.
    Drives to encrypt
    • All drives - Encrypt all drives and volumes.
    • OS drive only - Encrypt only the OS drive (usually C:\). This is the default.
    Encryption algorithm
    • Windows Default - This is recommended. On Windows 10 Build 1507 or later, unencrypted disks are encrypted with XTS-AES-128. On encrypted disks, the encryption algorithm is not changed.
    • XTS-AES-128
    • XTS-AES-256

  11. Click OK.

  12. Click Next.

  13. In the Enter rule name and comment page, fill in the details.

  14. Click Finish.

  15. In the main toolbar, click Save rule , and Install the Policy .

  1. On the Windows client computer, in the system tray, right-click the lock icon of Endpoint Security client.

  2. Select Display Overview and open the Full Disk Encryption page.

  3. Make sure the Policy Details show the BitLocker Management Policy.