{"id":3060,"date":"2026-02-19T12:24:12","date_gmt":"2026-02-19T12:24:12","guid":{"rendered":"https:\/\/zecurit.com\/help\/endpoint-management\/bitlocker-management\/create-bitlocker-policy\/"},"modified":"2026-02-20T06:58:19","modified_gmt":"2026-02-20T06:58:19","slug":"create-bitlocker-policy","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/endpoint-management\/bitlocker-management\/create-bitlocker-policy\/","title":{"rendered":"Create BitLocker Policy"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Create BitLocker Policy in Zecurit<\/strong><\/h2>\n\n\n\n<p>Creating a BitLocker policy in Zecurit takes only a few minutes. You define your encryption settings inside a Configuration Profile, which is then assigned to device groups or individual endpoints. Once published, the Zecurit agent applies the policy automatically during the next device check-in.<\/p>\n\n\n\n<p>This page walks you through every step of the policy creation process, from naming your profile to configuring recovery key rotation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 1: Navigate to Create Profile<\/strong><\/h2>\n\n\n\n<p>Log in to your Zecurit console and click <strong>Manage<\/strong> in the left-hand navigation bar. Under the <strong>Configurations<\/strong> section in the sidebar, click <strong>Create Profile<\/strong>. The Profile Creation screen will appear, showing all available policy modules for Windows, Mac, and Linux.<\/p>\n\n\n\n<p>Make sure the <strong>Windows<\/strong> tab is selected, then click the <strong>BitLocker<\/strong> tile to begin creating a BitLocker-specific profile.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 2: Name Your Profile<\/strong><\/h2>\n\n\n\n<p>On the New Profile screen, enter a clear and descriptive name in the <strong>Profile Name<\/strong> field. Use a naming convention that identifies the target department, device group, or security level, for example, &#8220;BitLocker Policy \u2013 Finance Dept&#8221; or &#8220;BitLocker Enforcement \u2013 High Security Devices.&#8221; Optionally, add a description to help other administrators understand the purpose of this profile.<\/p>\n\n\n\n<p>Click <strong>Continue<\/strong> to proceed to the BitLocker configuration settings.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 3: Configure Drive Encryption<\/strong><\/h2>\n\n\n\n<p>On the BitLocker Encryption Configuration page, the first setting is <strong>Drive Encryption<\/strong>. Toggle this switch to the <strong>On<\/strong> (green) position to enable BitLocker encryption for all devices that receive this profile. If Drive Encryption is turned off, the profile will not enforce encryption even if it is published and assigned.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 4: Set the Authentication Type<\/strong><\/h2>\n\n\n\n<p>Under <strong>Authentication Type<\/strong>, configure how BitLocker will authenticate on devices with and without a TPM chip.<\/p>\n\n\n\n<p>For <strong>machines with TPM<\/strong>, choose one of the following options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TPM only<\/strong> : BitLocker unlocks automatically using the TPM chip. No user input is required at startup. This is the least disruptive option and is recommended for most organizations.<\/li>\n\n\n\n<li><strong>TPM + PIN<\/strong> : The user must enter a PIN at each startup in addition to the TPM check. This provides a second layer of authentication but requires user action.<\/li>\n\n\n\n<li><strong>TPM + Enhanced PIN<\/strong> : Similar to TPM + PIN, but supports alphanumeric PINs for stronger authentication.<\/li>\n<\/ul>\n\n\n\n<p>For <strong>machines without TPM<\/strong>, choose one of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Passphrase<\/strong> : Users must enter a passphrase to unlock the drive. Recommended for non-TPM devices where encryption is still required.<\/li>\n\n\n\n<li><strong>No Encryption<\/strong> : BitLocker will not be applied to devices without TPM. Use this if your policy is to exclude non-TPM hardware from encryption requirements.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 5: Configure Password Settings<\/strong><\/h2>\n\n\n\n<p>Under <strong>Password Settings<\/strong>, choose how strictly the encryption password requirement is enforced on end users.<\/p>\n\n\n\n<p>Select <strong>Allow users to skip password request<\/strong> if you want to give users a grace period before the encryption passphrase is required. Enter the number of days in the <strong>Enforce password request after specified days<\/strong> field (for example, 3 days). This is useful during initial rollout to avoid disrupting users immediately.<\/p>\n\n\n\n<p>Select <strong>Enforce immediately<\/strong> if you want the encryption passphrase to be required without any grace period. This is recommended for high-security environments or devices that handle sensitive data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 6: Choose Encryption Options<\/strong><\/h2>\n\n\n\n<p>Under <strong>Encryption Options<\/strong>, select what the BitLocker policy will encrypt on each device:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Encrypt OS Drive only<\/strong> : Protects only the operating system drive. Use this if your concern is primarily protecting the system partition and boot data.<\/li>\n\n\n\n<li><strong>Encrypt Used Space only<\/strong> : Encrypts only the disk space currently in use, rather than the entire drive. This is faster for initial encryption and recommended for new devices where most disk space is empty.<\/li>\n<\/ul>\n\n\n\n<p>You may select both options if you want OS drive encryption with used-space-only coverage.<\/p>\n\n\n\n<p><strong>Encryption Method<\/strong> : Use the dropdown to select your preferred encryption algorithm. The default option applies Windows&#8217; built-in default (XTS-AES 128 for fixed drives). For higher security requirements, select XTS-AES 256.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 7: Configure Recovery Key Management<\/strong><\/h2>\n\n\n\n<p>Under <strong>Recovery Key Management<\/strong>, set how BitLocker recovery keys are stored and rotated.<\/p>\n\n\n\n<p>Enable <strong>Update recovery key to domain controller<\/strong> to automatically back up each device&#8217;s BitLocker recovery key to your Active Directory domain controller. This ensures recovery keys are always available to your IT team without manual tracking.<\/p>\n\n\n\n<p>Enable <strong>Allow periodic rotation of recovery key<\/strong> to automatically generate a new recovery key at regular intervals. Enter the number of days in the <strong>Specify rotation period<\/strong> field. Rotating keys regularly reduces the risk of stale or compromised recovery keys and is a best practice for security-conscious organizations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 8: Save and Publish<\/strong><\/h2>\n\n\n\n<p>Once all settings are configured, click <strong>Save<\/strong> within the BitLocker section to save your encryption configuration. When you are ready to make the profile active, click <strong>Publish<\/strong> at the bottom of the screen. If you are not ready to deploy the profile yet, click <strong>Save as Draft<\/strong> to return to it later.<\/p>\n\n\n\n<p>After publishing, the profile will appear in your <strong>Profiles<\/strong> list and can be assigned to device groups or individual devices.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"featured_media":0,"parent":3017,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-3060","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=3060"}],"version-history":[{"count":2,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3060\/revisions"}],"predecessor-version":[{"id":3065,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3060\/revisions\/3065"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3017"}],"next":[{"title":"Policy Association & Deployment","link":"https:\/\/zecurit.com\/help\/endpoint-management\/bitlocker-management\/policy-association-deployment\/","href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3066"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=3060"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=3060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}