Create BitLocker Policy in Zecurit
Creating a BitLocker policy in Zecurit takes only a few minutes. You define your encryption settings inside a Configuration Profile, which is then assigned to device groups or individual endpoints. Once published, the Zecurit agent applies the policy automatically during the next device check-in.
This page walks you through every step of the policy creation process, from naming your profile to configuring recovery key rotation.
Step 1: Navigate to Create Profile
Log in to your Zecurit console and click Manage in the left-hand navigation bar. Under the Configurations section in the sidebar, click Create Profile. The Profile Creation screen will appear, showing all available policy modules for Windows, Mac, and Linux.
Make sure the Windows tab is selected, then click the BitLocker tile to begin creating a BitLocker-specific profile.
Step 2: Name Your Profile
On the New Profile screen, enter a clear and descriptive name in the Profile Name field. Use a naming convention that identifies the target department, device group, or security level, for example, “BitLocker Policy – Finance Dept” or “BitLocker Enforcement – High Security Devices.” Optionally, add a description to help other administrators understand the purpose of this profile.
Click Continue to proceed to the BitLocker configuration settings.
Step 3: Configure Drive Encryption
On the BitLocker Encryption Configuration page, the first setting is Drive Encryption. Toggle this switch to the On (green) position to enable BitLocker encryption for all devices that receive this profile. If Drive Encryption is turned off, the profile will not enforce encryption even if it is published and assigned.
Step 4: Set the Authentication Type
Under Authentication Type, configure how BitLocker will authenticate on devices with and without a TPM chip.
For machines with TPM, choose one of the following options:
- TPM only : BitLocker unlocks automatically using the TPM chip. No user input is required at startup. This is the least disruptive option and is recommended for most organizations.
- TPM + PIN : The user must enter a PIN at each startup in addition to the TPM check. This provides a second layer of authentication but requires user action.
- TPM + Enhanced PIN : Similar to TPM + PIN, but supports alphanumeric PINs for stronger authentication.
For machines without TPM, choose one of the following:
- Passphrase : Users must enter a passphrase to unlock the drive. Recommended for non-TPM devices where encryption is still required.
- No Encryption : BitLocker will not be applied to devices without TPM. Use this if your policy is to exclude non-TPM hardware from encryption requirements.
Step 5: Configure Password Settings
Under Password Settings, choose how strictly the encryption password requirement is enforced on end users.
Select Allow users to skip password request if you want to give users a grace period before the encryption passphrase is required. Enter the number of days in the Enforce password request after specified days field (for example, 3 days). This is useful during initial rollout to avoid disrupting users immediately.
Select Enforce immediately if you want the encryption passphrase to be required without any grace period. This is recommended for high-security environments or devices that handle sensitive data.
Step 6: Choose Encryption Options
Under Encryption Options, select what the BitLocker policy will encrypt on each device:
- Encrypt OS Drive only : Protects only the operating system drive. Use this if your concern is primarily protecting the system partition and boot data.
- Encrypt Used Space only : Encrypts only the disk space currently in use, rather than the entire drive. This is faster for initial encryption and recommended for new devices where most disk space is empty.
You may select both options if you want OS drive encryption with used-space-only coverage.
Encryption Method : Use the dropdown to select your preferred encryption algorithm. The default option applies Windows’ built-in default (XTS-AES 128 for fixed drives). For higher security requirements, select XTS-AES 256.
Step 7: Configure Recovery Key Management
Under Recovery Key Management, set how BitLocker recovery keys are stored and rotated.
Enable Update recovery key to domain controller to automatically back up each device’s BitLocker recovery key to your Active Directory domain controller. This ensures recovery keys are always available to your IT team without manual tracking.
Enable Allow periodic rotation of recovery key to automatically generate a new recovery key at regular intervals. Enter the number of days in the Specify rotation period field. Rotating keys regularly reduces the risk of stale or compromised recovery keys and is a best practice for security-conscious organizations.
Step 8: Save and Publish
Once all settings are configured, click Save within the BitLocker section to save your encryption configuration. When you are ready to make the profile active, click Publish at the bottom of the screen. If you are not ready to deploy the profile yet, click Save as Draft to return to it later.
After publishing, the profile will appear in your Profiles list and can be assigned to device groups or individual devices.