BitLocker Policy Association & Deployment
Creating a BitLocker policy in Zecurit is only the first step. For the policy to take effect, it must be associated with one or more device groups or individual devices. This page explains how to assign a published BitLocker profile, how the Zecurit agent applies it, and how to verify that deployment has been successful.
Understanding Profiles and Device Groups
In Zecurit, a Configuration Profile is a container for one or more policy settings — including BitLocker, Firewall, Application Control, and others. A profile must be associated with a device group before its settings are enforced on any endpoint.
Device groups are collections of managed endpoints organized by department, location, function, or any other criteria relevant to your organization. When you associate a BitLocker profile with a device group, every device in that group will receive the encryption settings during its next check-in with the Zecurit cloud.
How to Associate a BitLocker Profile with a Device Group
To associate a published BitLocker profile with a device group, follow these steps:
Navigate to Manage in the left-hand navigation bar. Under Configurations, click Profiles. Locate your published BitLocker profile in the list and click on it to open the profile detail view. Select the Association tab. Click Add Device Group and choose the target group from the dropdown list. Confirm the association. The profile is now linked to that device group.
Alternatively, you can associate a profile from within the Groups and Devices section by selecting a device group, opening its settings, and adding the relevant profile from the associated profiles list.
Applying Policies to Individual Devices
If you need to apply a BitLocker policy to a specific device rather than an entire group, navigate to Groups and Devices, locate the target device, open its detail view, and assign the profile directly from the device’s configuration panel. This is useful for testing a new policy on a single machine before rolling it out fleet-wide.
What Happens After Association
Once a BitLocker profile is associated with a device group, the policy is queued for deployment. The Zecurit agent installed on each device in that group retrieves the updated policy settings the next time it checks in with the Zecurit cloud service. Check-in intervals depend on your agent configuration but typically occur within a few minutes to a few hours.
When the agent receives the BitLocker policy, it begins the encryption process in the background. The user will see a notification depending on your password enforcement settings. If you selected “Allow users to skip password request,” the user will be prompted to set a passphrase but can defer it for the number of days specified in the policy. If you selected “Enforce immediately,” the passphrase prompt appears right away.
Encryption itself runs silently in the background and does not interrupt active user sessions. Depending on drive size and the encryption option selected (used space only vs. full drive), the process may take anywhere from a few minutes to several hours.
Verifying Successful Deployment
After deploying a BitLocker profile, you can verify that encryption has been applied by checking the encryption status in Zecurit Reports. Navigate to Reports, select BitLocker Encryption Status, and review the status column for each device in the target group. Devices that have successfully received and applied the policy will show an encryption state of “Encrypted.” Devices still in progress will show “Encryption in Progress.” Devices that have not yet checked in will show “Pending.”
Updating or Changing a Deployed Policy
To change encryption settings for a deployed profile, open the profile from the Profiles list, make your changes, and re-publish. The updated policy will be pushed to all associated devices at their next check-in. Note that reducing encryption requirements (for example, changing from XTS-AES 256 to XTS-AES 128) does not automatically re-encrypt existing drives — it applies to any new encryption operations initiated after the policy update.
Removing a BitLocker Policy from a Device Group
To stop enforcing a BitLocker policy on a device group, remove the profile association from the group’s configuration. Note that removing the association does not automatically decrypt existing devices — BitLocker encryption already applied to a drive remains in place. To decrypt a device, you must do so explicitly through the device management interface or through Windows settings directly on the device.