You can use ZENworks to control Microsoft BitLocker encryption of removable data drives (RDD) on managed devices when the Microsoft Data Encryption Policy is applied to those devices. Removable Data Drives encryption can be enabled or disabled, giving you the ability to apply the policy to devices for one or both policy options, (1) Removable Data Drives encryption and (2) Fixed Disk Folder encryption.
The policy enables you to configure locking and unlocking of encrypted data drives using either a user password or auto-unlock feature when drives are used on managed devices. Depending on the configuration options you choose, you can also enable RDDs that are encrypted via this policy to support unlocking the drives on non-managed devices.
Removable data drives include, but are not limited to, USB thumb drives and externally attached hard drives.
Continuing reading for information about each of the configurable options for encrypting removable data drives.
Both the AES-CBC and the XTS-AES algorithms use AES (Advance Encryption Standard) with 256-bit encryption. Compatible mode encryption provides the greatest compatibility on Windows 7 and newer operating systems. New encryption mode is a newer encryption algorithm that works only on Windows 10 version 1511 and newer operating systems.
If you use the policy on devices with both Windows 10 v1511 and earlier operating systems, you can choose the XTS-AES if supported option, and the policy will automatically apply XTS-AES encryption to Windows 10 v1511 and AES-CBC encryption to earlier OS versions.
You can set the encryption for used drive space only or the entire drive. The former is the fastest means of encryption, but the latter provides the greatest security, because it ensures that any deleted files are not recoverable.
The options for unlocking removable data drives include both managed and non-managed devices. You can enable the user to provide an unlock password to unlock the drive on any device. Or, you can use the zone encryption key for the drive with no user unlock password, so only managed devices in your zone will be unlocked.
Always prompt for the unlock password: This option requires a password every time the user inserts the drive into a device, whether the device is a managed or non-managed device. It enables the user to unlock the drive on any Windows device.
Prompt for the unlock password on first use: This option uses the BitLocker Auto-Unlock feature. The first time the user inserts a drive into the device the unlock password is required. Subsequent uses on the same device do not require the password. This option also enables the user to unlock the drive on any Windows device.
No unlock password: This option uses the zone encryption key to unlock the drive on managed devices only. Select this option to automatically unlock BitLocker encrypted drives in the management zone. The drive is automatically unlocked without a user password when inserting the drive into a managed device, but it cannot be unlocked on non-managed devices.
Require a strong unlock password: Select this option to force users to define an unlock password that meets the following requirements when using a password option:
Eight or more characters
At least one of each of the four types of characters:
uppercase letters from A to Z
lowercase letters from a to z
numbers from 0 to 9
at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”
For example: y9G@wb?
If you have a drive that is already BitLocker encrypted, you can enable the drive to retain its current BitLocker settings to be used on managed devices, or you can apply the policy settings to the encrypted drive.
If the drive was BitLocker encrypted via ZENworks, you can also enable the policy to override the existing encryption settings if they are different than this policy’s settings.
NOTE:Changing an encrypted drive's BitLocker settings might require the drive to be decrypted and then re-encrypted. This will be done automatically if required.