Whilst BitLocker, a full-disk encryption feature in Windows, can greatly enhance data security, especially when it comes to user devices, there are several pitfalls and considerations to be mindful of.
Addressing these pitfalls requires careful planning and deployment, as well as a good understanding of the components involved and having robust management practices to ensure that the benefits of BitLocker outweigh the potential downsides.
What is BitLocker and Why Should You Use It?
BitLocker is a Microsoft tool that is included with certain editions of Windows. It’s effectively a full-disk encryption feature designed to protect data by providing encryption for your computer’s storage drive, which helps to protect data from unauthorised access, especially in the case of lost or stolen devices.
This provides benefits such as:
- Making it challenging for attackers to access sensitive data if the device is lost or stolen.
- Provides a high level of protection for safeguarding sensitive information and ensuring data security.
- Provides an economical solution for enterprise data protection, eliminating the need for additional hardware or software.
BitLocker mitigates unauthorised data access by encrypting the entire volume, which helps to protect data even if a device is stolen. This encryption renders data inaccessible, reducing the risk of data breaches and ensuring that sensitive information remains secure.
BitLocker plays a vital role in helping organisations comply with security regulations by encrypting sensitive data and ensuring that only authorised users have access. This encryption helps organisations meet various regulatory compliance requirements for data security, reducing the risk of non-compliance and potential penalties.
By ensuring that only authorised users can access the encrypted data, BitLocker further helps organisations meet compliance requirements. This level of control is essential for maintaining data security and adhering to regulatory standards.
Common BitLocker Pitfalls
Most issues with BitLocker stem from not having a comprehensive deployment plan or not following best practices when it comes to storing and managing encryption keys, which we’ll cover in the deployment and best-practices section of this article. Conflicts in policy/rollout settings could cause BitLocker encryption to fail, especially if policies related to startup keys and pins are incompatible. Policies configured for silent encryption but requiring user interaction may also cause issues.
However, the biggest pitfalls with BitLocker mostly come from data recovery challenges, which is something we saw in the recent outage on the 19th of July. In cases where BitLocker was used on devices, the BitLocker key had to be manually entered to boot the machine into safe mode to remove the defected update. This presented challenges as it slowed down speed of recovery, as well as caused havoc where organisations did not manage their keys effectively. As if a BitLocker recovery key is lost and the password is forgotten, the data on the drive becomes inaccessible.
Educating end users and administrators on BitLocker usage forms a vital part of upholding data security. End users, being a significant part of any security system, must understand BitLocker’s role in protecting data from theft or loss. Their understanding ensures the effective implementation and utilisation of the security measure. Proper training ensures that users are aware of the importance of BitLocker encryption and know how to manage BitLocker settings effectively.
It should also be noted that whilst BitLocker is very effective to protect data from devices that are lost or stolen, it is not entirely foolproof. There are still certain types of attacks that BitLocker is vulnerable to, for example cold boot attacks where encryption keys are received from RAM, or complications arising from improper configuration or failure to follow best practices, which may weaken the security provided by BitLocker.
In addition to the above, for BitLocker to operate correctly, proper disk configuration is necessary. The requirements for this include:
- The system drive must not be encrypted and must be different from the operating system drive.
- For UEFI-based firmware, the system drive should be formatted with the FAT32 file system.
- For BIOS firmware, the system drive should be formatted with the NTFS file system.
The system drive is recommended to be approximately 350 MB in size, with around 250 MB of free space after BitLocker is enabled. Additionally, ensure that the Windows Recovery Environment (WinRE) is enabled, as it is required for certain BitLocker scenarios like silent encryption. Proper disk configuration ensures that BitLocker can be deployed smoothly and operates effectively.
Best-Practices for Deploying and Managing BitLocker
Deploying and managing BitLocker effectively requires a structured approach, particularly in larger or more complex environments. Leveraging tools like Entra ID and Intune can significantly streamline this process.
For organisations utilising a traditional Active Directory domain, Group Policy remains a valuable tool. However, for those adopting Microsoft 365 and the Modern Workplace, we recommend prioritising Entra ID and Intune for optimal management and integration.
Utilise Secure Boot and Trusted Platform Module (TPM)
Implementing Secure Boot and Trusted Platform Module (TPM) is a critical step in enhancing BitLocker security. TPM is a specialised hardware component included with most modern devices, and a requirement for the Windows 11 operating system, TPM is designed to enhance the security of devices through secure generation and storage of cryptographic keys and TPM-only authentication provides a seamless sign-in experience whilst adding additional security to detect any attempts to bypass BitLocker security measures.
If devices do not have a Trusted Platform Module (TPM), there are some caveats to be aware of, as although BitLocker can still be used to encrypt the Windows operating system volume on devices without TPM, it does not provide pre-startup system integrity verification. For non-TPM devices, users can choose between booting from a password or using a USB drive.
Devices without TPM require a startup key on a removable drive when enabling BitLocker. To enable BitLocker on these devices, administrators must configure the ‘Require additional authentication at startup’ policy in the Local Group Policy Editor. This configuration ensures that BitLocker can read recovery information and encryption keys before encrypting the volume, which is crucial for non-TPM configurations.
Managing BitLocker Through Intune
If your organisation is using Intune or considering this, we recommend using Intune’s BitLocker Management functionality as well as key storage in Entra ID to manage encryption keys and monitor the encryption status from a centralised location. This integration ensures that sensitive information remains secure and accessible only to authorised users.
BitLocker management through Intune/Entra ID provides a secure and efficient method for encrypting disks on Windows devices. which allows for streamlined management of device security. Intune allows administrators to configure BitLocker settings, manage encryption keys, and monitor encryption status from a centralised location. This integration ensures that sensitive information remains secure and accessible only to authorised users.
The base settings for BitLocker deployment with Intune include controlling overarching BitLocker rules, hiding third-party encryption prompts, and enabling client-driven recovery password rotation for both device states. By leveraging Intune, organisations can ensure that BitLocker policy is working correctly on Windows devices by syncing the device through the Intune portal to force the policy.
Configuring endpoint security profiles in Intune is essential for ensuring proper authentication methods and encryption key protection. Administrators should assign Intune settings for BitLocker to devices rather than users to ensure that the encryption policies apply to all devices managed by the organisation.
BitLocker uses various types of protectors to secure the encryption key, including:
- TPM
- Numerical PIN
- Startup key
- Recovery password
Additional security measures, such as a personal identification number (PIN) and a removable USB device with a startup key, can also be used for BitLocker authentication.
Windows Local Administrator Password Solution (LAPS)
Each Windows machine includes a built-in local administrator account that cannot be deleted and possesses full permissions on the device. We’d recommend securing this account to harden your organisation’s security. Windows devices are equipped with the Windows Local Administrator Password Solution (LAPS), a built-in tool for managing local admin accounts.
You can use Microsoft Intune endpoint security policies to manage LAPS on devices enrolled in Intune.
These policies can:
- Enforce password requirements for local admin accounts
- Back up local admin account passwords to your Active Directory (AD) or Microsoft Entra ID
- Schedule regular password rotations to maintain security
Furthermore, you can view details about managed local admin accounts in the Intune Admin centre and manually rotate their passwords outside the scheduled rotation.
Implementing Intune LAPS policies helps safeguard Windows devices from attacks targeting local user accounts, such as pass-the-hash or lateral-traversal exploits. Managing LAPS with Intune also improves security for remote help desk scenarios and aids in recovering devices that would otherwise be inaccessible.
Monitoring & Reporting
Keeping track of BitLocker’s security involves essential steps such as monitoring and reporting. Intune provides a built-in encryption report that details the encryption status of all managed devices. This report helps administrators track encryption progress and identify any potential issues promptly.
Various tools, including Intune and Configuration Manager, are available for monitoring BitLocker and helping you configure BitLocker encryption. Among these, BitLocker itself is a valuable tool for maintaining the overall security of the organisation’s data. Regular monitoring ensures that encryption statuses are properly tracked, and any issues are addressed in a timely fashion.
Intune administrators with sufficient administrative permissions can view information about a device’s local admin account and its current password. You can also see when that password was last rotated (reset) and when it’s next scheduled to rotate. Intune provides reports on password rotation including details about past manual and scheduled password rotation.
Back Up Recovery Keys to Entra ID
Efficient management of recovery keys is vital for upholding data security. Before enabling BitLocker, it is essential to plan for recovery options that meet organisational needs. BitLocker recovery options include:
- Recovery passwords
- Recovery keys
- Key packages
- Data Recovery Agent (DRA) certificates
Organisations should store BitLocker recovery keys in secure, accessible locations, such as Active Directory or Entra ID, to ensure quick recovery.
We recommend backing up BitLocker recovery keys to Entra ID to ensure centralised and secure key storage, making it easier to retrieve keys and manage recovery processes. This integration with Microsoft Entra ID and Active Directory Domain Services (AD DS) provides administrators with a streamlined approach to key management, ensuring that recovery keys are stored in a secure, accessible location.
This functionality ensures that all recovery keys are consolidated in one place, simplifying the management and retrieval process, and enhancing overall data security.
You can further enhance your BitLocker deployment via the Single-use Recovery Keys feature. which rotates the recovery key after each use, minimising reuse risks. This approach generates a new key after each use, reducing the risk of unauthorised access.
We recommend rotating the recovery key after each use to help prevent potential misuse by individuals who might gain temporary access. This is especially important if temporary access to your BitLocker keys has been given as part of system recoveries from July 19th.
This practice ensures that recovery keys remain secure and are not reused, maintaining the integrity of encrypted data.
Key Takeaways
Deploying and managing BitLocker effectively requires a comprehensive understanding of best practices and careful planning. From creating a deployment plan to utilising to encryption status, and managing recovery keys, each step is crucial for ensuring robust data security.
The below takeaways discussed in this article should help with achieving a smooth and secure BitLocker deployment:
- A comprehensive BitLocker deployment plan, including hardware and policy audits, is essential to identify needs, incorporate recovery options, and ensure a smooth implementation.
- Leverage Microsoft Intune or Group Policy allows for consistent management of BitLocker settings across multiple machines, enforcing encryption standards, and securing external drives.
- UtiliseSecure Boot and Trusted Platform Module (TPM) to significantly enhance BitLocker security by ensuring the integrity of the boot process and securely storing encryption keys.
- Back up your BitLocker recovery keys to Entra ID. This makes it easier to retrieve keys and adds an additional layer of protection to ensure that recovery keys are stored in a secure, accessible location.
