Best practice: Policy settings and user experience

The security officer configures encryption policies for the drives to be encrypted as well as an authentication policy. The TPM should be used whenever possible, but even without a TPM the boot volume should be encrypted. User interaction should be kept to a minimum.

According to these requirements, the security officer chooses the following authentication settings (these are also the default settings):

The security officer creates a device protection policy with the target Internal Storage and sets the encryption mode to Volume based. Afterwards both policies are applied to the endpoints to be encrypted.

For SafeGuard Enterprise BitLocker users the following scenarios exist:

Case 1: A user logs on to an endpoint with a TPM.

  1. The user is asked to enter a PIN for the boot volume (for example drive C: ).
  2. The user enters the PIN and clicks Restart and Encrypt.
  3. The system tests the hardware and checks whether the user can enter the PIN correctly. It reboots and asks the user to enter the PIN.
    • If the user enters the PIN correctly, the endpoint starts.
    • If the user does not enter the PIN correctly (for example because of a wrong keyboard layout) the user can press the Esc key in the BitLocker pre-boot environment to cancel the test and the endpoint starts.
    • If there is any problem with the hardware (for example if the TPM is not working), the test aborts and the endpoint starts.
  4. The user logs on again.
  5. If the hardware test was passed successfully (the user could enter the PIN correctly and there was no problem with the TPM), the encryption of the boot volume starts. Otherwise (if the test failed), an error is shown and the volume is not encrypted. If the test failed because the user pressed Esc in the pre-boot environment, the user is asked to enter a PIN again and to do a restart (as in step 2; steps 3, 4, 5 will be repeated).
  6. The encryption of the boot volume starts.
  7. The encryption of the data volumes starts as well, without requiring any user interaction.

Case 2: A user logs on to a Windows 8 endpoint without a TPM.

  1. The user is asked to enter a password for the boot volume.
  2. The user enters the password and clicks Restart and Encrypt.
  3. The system reboots, tests the hardware and the user logs on again as in the case above (exactly as in steps 3 to 6 of case 1, but the references to the TPM are not relevant, and a password is required rather than a PIN).
  4. The encryption of the boot volume starts.
  5. The encryption of the data volumes starts as well, without requiring any user interaction.

Case 3: A user logs on to a Windows 7 endpoint without a TPM.

  1. The user is asked to save the encryption key for the boot volume to a USB memory stick.
  2. The user attaches a USB memory stick and presses Save and Restart.
  3. The system reboots, performs the hardware test and the user logs on again. (Same procedure as in the previous cases, but the user has to provide the USB memory stick at boot time. An additional hardware error could be that the USB memory stick cannot be read from the BitLocker pre-boot environment.)
  4. The encryption of the boot volume starts.
  5. The encryption of the data volumes starts as well, without requiring any user interaction.

Case 4: The security officer changes the policy setting BitLocker Fallback Logon Mode for Boot Volumes to Password. A user logs on to a Windows 7 endpoint without a TPM.

  1. Since the endpoint has no TPM and Windows 7 does not allow passwords for boot volumes, the boot volume will not be encrypted.
  2. For each non-boot volume, the user is asked to store the external key on a USB memory stick. Encryption of the respective volume starts when the user clicks Save.
  3. When the user reboots the endpoint, the USB key has to be plugged in to be able to unlock the non-boot volumes.