Getting Started with Symantec Endpoint Encryption for Bitlocker

Getting Started with Symantec Endpoint Encryption for BitLocker

Version 11.3.0 Getting Started with Symantec Endpoint Encryption for BitLocker

Legal Notice Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 https://www.symantec.com Document version: 11.3.0 Document release date: June 2019 Contents

Getting Started ...... 5 About updates to Getting Started with Symantec Endpoint Encryption for BitLocker Guide ...... 5 Using this guide ...... 5 About Symantec Endpoint Encryption for BitLocker ...... 6 About authentication ...... 6 Configuring a PIN for Symantec Endpoint Encryption for BitLocker ...... 7 Configuring a password for Symantec Endpoint Encryption for BitLocker ...... 8 About encrypting or decrypting your computer volumes ...... 9 How TPM affects encryption and authentication ...... 10 About decryption on a pre-encrypted BitLocker system ...... 10 About authenticating to a pre-encrypted BitLocker system ...... 11 Viewing the encryption status of the BitLocker client volumes ...... 14 Ensuring regular communication with the server for the encrypted BitLocker clients ...... 15 About loss of access to a volume encrypted for BitLocker client ...... 18 Accessing your system using a BitLocker Recovery Key ...... 17 About loss of access to a volume encrypted for BitLocker client ...... 18 Getting Started

About updates to Getting Started with Symantec Endpoint Encryption for BitLocker Guide This guide is updated as new information becomes available. The following table provides the history of updates to this version of this guide:

Table 1 Change history for this guide

Date Description

27 January, 2020 Beginning with the Symantec Endpoint Encryption 11.3.0 MP1 release, updated this guide to remove references for Windows 7 support.

Using this guide This guide is for anyone who uses the Symantec Endpoint Encryption for BitLocker software to protect their data. The guide provides information on configuring a PIN or password for authentication. It covers the following two deployment scenarios of Symantec Endpoint Encryption for BitLocker:

■ Systems that are encrypted after Symantec Endpoint Encryption for BitLocker is installed. See “About Symantec Endpoint Encryption for BitLocker” on page 6.

■ Systems that are pre-encrypted with Microsoft BitLocker, after which Symantec Endpoint Encryption for BitLocker is installed. See “About decryption on a pre-encrypted BitLocker system” on page 10. Getting Started 6 About Symantec Endpoint Encryption for BitLocker

About Symantec Endpoint Encryption for BitLocker BitLocker is the Microsoft native encryption solution to encrypt a client computer. Symantec Endpoint Encryption for BitLocker enables your administrator to manage the volumes that are encrypted with Microsoft BitLocker. Symantec Endpoint Encryption for BitLocker also allows you to regain access to encrypted volumes using Help Desk Recovery. With Symantec Endpoint Encryption for BitLocker:

■ You can encrypt or decrypt the boot volume as well as the data volumes on your client computers.

■ Your computer reports status information to the Symantec Endpoint Encryption Management Server.

■ Your computer generates a BitLocker Recovery Key and sends this key to the server. You can retrieve and use this key to access your data in case you forget your PIN or password and get locked out. Symantec Endpoint Encryption for BitLocker provides prompts, so that you know when to configure a PIN or a password. Your PIN or password serves as your logon credential. And only after you configure the PIN or password, encryption starts on the computer. Symantec Endpoint Encryption for BitLocker enables your administrator to manage the BitLocker client computers by:

■ Creating and deploying the BitLocker management software.

■ Providing the encryption and the authentication policy options.

■ Locking the client computer when a predefined time has passed and the client has not checked in with Symantec Endpoint Encryption Management Server through the client monitor feature.

■ Generating the reports that identify which computers are running BitLocker and the encryption status of the computer volumes.

■ Providing a help desk capability, if you should need to use your BitLocker Recovery Key to gain computer access.

About authentication If your computer is not yet encrypted by BitLocker, your administrator applies a policy to your computer to begin encryption. Preceding encryption, you are required to configure authentication credentials. You use these credentials to authenticate to the BitLocker preboot authentication screen that appears once your system is encrypted. Your administrator can choose one of the following authentication methods:

■ TPM Getting Started 7 About Symantec Endpoint Encryption for BitLocker

If the method is a Trusted Platform Module (TPM), a chip that is embedded in your computer helps prevent unauthorized access to your system and ensure a safe computing environment. The TPM provides the authentication, no user intervention, or credentials are not required.

■ TPM and PIN If the method is a PIN, you may be prompted to configure a PIN to begin encryption. Thereafter, you use the PIN to authenticate to the BitLocker preboot screen every time you start your computer.

■ A password If the method is to use a password when TPM is unavailable, you may be prompted to configure a password to begin encryption. Thereafter, you use the password to authenticate to the BitLocker preboot screen every time you start your computer. If your computer is already encrypted by BitLocker, you may already have a password or PIN that you use for authentication. You do not need to know which policy your administrator has applied to your computer. The prompts lead you through the process to configure credentials for whichever method has been chosen for you. See “Configuring a PIN for Symantec Endpoint Encryption for BitLocker” on page 7. See “Configuring a password for Symantec Endpoint Encryption for BitLocker” on page 8.

Configuring a PIN for Symantec Endpoint Encryption for BitLocker If your administrator configured your preboot authentication method to be a PIN, you see a PIN configuration dialog box after Symantec Endpoint Encryption for BitLocker is installed and the BitLocker Recovery Key is sent to the server. The PIN length must be 6 - 20 digits. For improved protection, Symantec recommends that you configure your BitLocker PIN the first time the dialog box appears. If you skip the configuration process, Symantec Endpoint Encryption notifies you to configure your PIN every hour or every time you log on, until you configure the PIN.

Note: You must configure the PIN before encryption can start.

Once the PIN is configured, whenever you turn on the system after restart or shutdown, you are prompted to enter the PIN on the BitLocker preboot authentication screen. If you forget your PIN and use the BitLocker Recovery Key for authentication, when the client-server communication is established, you are prompted to reconfigure the PIN. Getting Started 8 About Symantec Endpoint Encryption for BitLocker

To configure a PIN for Symantec Endpoint Encryption for BitLocker 1 Log on to your system. 2 When the BitLocker PIN configuration dialog box appears, continue with the following steps to configure your PIN. If you are skipping configuration, click Remind me later and continue logging on to the computer. 3 To begin PIN configuration:

■ If you want to see the digits as you type, check the Show PIN box.

■ In the PIN box, type a PIN.

■ In the Confirm PIN box, type the PIN again.

Note: Enter only digits for configuring the PIN.

4 To configure the PIN, click Save. 5 In the confirmation dialog box, click Done.

Configuring a password for Symantec Endpoint Encryption for BitLocker If your administrator configured your preboot authentication method to use a password if TPM is unavailable, you see a password configuration dialog box after Symantec Endpoint Encryption for BitLocker is installed and the BitLocker Recovery Key is sent to the server. The length of the BitLocker password must be from 8 - 99 characters. The BitLocker password supports the following character set:

■ Uppercase: A-Z

■ Lowercase: a-z

■ Digits: 0-9

■ All punctuation symbols on a standard US language keyboard For improved protection, Symantec recommends that you configure your BitLocker password the first time the dialog box appears. If you skip the configuration process, Symantec Endpoint Encryption notifies you to configure your password every hour or every time you log on, until you configure the password.

Note: You must configure the password before encryption can start. Getting Started 9 About Symantec Endpoint Encryption for BitLocker

Once the password is configured, whenever you turn on the system after restart or shutdown, you are prompted to enter the password on the BitLocker preboot authentication screen. If you forget your password and use the BitLocker Recovery Key for authentication, when the client-server communication is established, you are prompted to reconfigure the password. To configure a password for Symantec Endpoint Encryption for BitLocker 1 Log on to your system. 2 When the BitLocker password configuration dialog box appears, continue with the following steps to configure your password. If you are skipping configuration, click Remind me later and continue logging on to the computer. 3 To begin password configuration:

■ If you want to see the characters as you type, check the Show password box.

■ In the Password box, type a password.

■ In the Confirm password box, type the password again.

4 To configure the password, click Save. 5 In the confirmation dialog box, click Done.

About encrypting or decrypting your computer volumes Symantec Endpoint Encryption for BitLocker manages the encryption and decryption of your computer volumes through policy. You can continue to work normally, even if your computer is being encrypted or decrypted. You may be unaware that the process is taking place. You might be prompted to reconfigure your PIN or password, if your authentication method changes as part of the encryption or the decryption policy. About encrypting your computer volumes If your administrator configured an encryption policy, then encryption starts on your computer as soon as the policy updates are enforced. Symantec Endpoint Encryption for BitLocker starts encrypting your computer if the volumes are not completely encrypted. Symantec Endpoint Encryption for BitLocker encrypts all of your data volumes and the boot volume. If you authenticate at the BitLocker preboot authentication screen, then you do not have to authenticate again to access your data. Symantec Endpoint Encryption for BitLocker unlocks your data volumes. About decrypting your computer volumes If your administrator configured a decryption policy, then decryption starts on your computer as soon as the policy updates are enforced. Symantec Endpoint Encryption for BitLocker decrypts your computer if the volumes are not completely decrypted. Getting Started 10 About Symantec Endpoint Encryption for BitLocker

Symantec Endpoint Encryption for BitLocker first decrypts all of the data volumes and then decrypts the boot volume.

Note: As an administrator, if you manage BitLocker from the command line, Symantec recommends that you do not attempt to use the Microsoft Manage-bde command-line tool to encrypt or decrypt volumes, or to change the authentication policies on the system. Symantec Endpoint Encryption for BitLocker overrides the encryption or the decryption commands and re-enforces the Symantec Endpoint Encryption for BitLocker policies through policy updates.

How TPM affects encryption and authentication When computers have the BitLocker feature enabled, a common way to protect your computer is for an IT person to leverage TPM that maybe already present on the system. This chip may provide the authentication required that lets you gain access to your encrypted computer. You are not required to intervene or to provide credentials. A TPM can also be used with a PIN. You are prompted to configure the PIN, and then enter it each time you restart your computer. If you are not sure whether your computer has TPM installed, ask your IT administrator. Your TPM chip is not used if it is not active. Make sure that you ask your IT administrator to activate TPM and put it into a ready-to-use state. This allows Symantec Endpoint Encryption for BitLocker to encrypt your system and set the authentication method that you use to log on. If TPM is not available on your system, then:

■ If your system has Windows 8 or later installed, you authenticate with a password if your administrator has enabled the fall back to password policy. Your method of authentication is based on whether TPM is present and is in a ready-to-use state. Your administrator can enable TPM on your encrypted computer either at the same time that Symantec Endpoint Encryption for BitLocker is installed or afterwards. The difference you see in your authentication method is:

■ Your system is encrypted by Symantec Endpoint Encryption for BitLocker, but TPM is not active. You authenticate with a password. Once TPM is activated, your existing password is deleted and the TPM-based authentication method is enforced.

■ Your system is pre-encrypted and then Symantec Endpoint Encryption for BitLocker is installed, but TPM is not active. You authenticate with a password or a USB startup key. Once TPM is activated, your existing password is deleted but you continue to authenticate with your USB startup key.

About decryption on a pre-encrypted BitLocker system Your system may already be encrypted by Microsoft BitLocker. When a decryption policy is enforced through Symantec Endpoint Encryption for BitLocker, your computer volumes that are in the following states are decrypted: Getting Started 11 About Symantec Endpoint Encryption for BitLocker

■ Encrypted

■ Encrypting

■ Encryption paused

■ Decryption paused The decryption of volumes that were pre-encrypted by Microsoft BitLocker behaves the same as the decryption of volumes that were encrypted through enforcement of an encryption policy by Symantec Endpoint Encryption for BitLocker. If the data volumes are unlocked, then the decryption starts on these volumes.

Note: If your data volumes are locked, then these volumes are not decrypted. Decryption starts only on the boot volume. You must manually unlock the data volumes to allow the decryption.

About authenticating to a pre-encrypted BitLocker system When Symantec Endpoint Encryption for BitLocker is installed on a computer that is already encrypted by Microsoft BitLocker, then

■ Symantec Endpoint Encryption for BitLocker does not encrypt the system again.

Note: If the volumes are in the encryption paused, decryption paused, decrypting, or decrypted state, then Symantec Endpoint Encryption for BitLocker starts encrypting these volumes.

■ The client starts reporting the status information to the Symantec Endpoint Encryption. Symantec Endpoint Encryption for BitLocker creates a new BitLocker Recovery Key on the computer and sends this key to the server. This key helps you gain access to your encrypted system if you forget your logon credentials and become locked out of your computer.

■ The way that you authenticate when you access your computer is enforced through policies. If you use a non-compliant authentication method, depending on the policy configured by the administrator, you may be prompted to configure new credentials.

■ If data volumes are locked, then Symantec Endpoint Encryption for BitLocker does not enforce any Symantec Endpoint Encryption policies on these volumes. However, as soon as these volumes are unlocked, then the Symantec Endpoint Encryption policies are enforced on these volumes on the next policy update. The following table describes how you authenticate at the BitLocker preboot authentication screen after a Symantec Endpoint Encryption for BitLocker authentication policy is applied. Your authentication method is determined by a combination of the policy with: Getting Started 12 About Symantec Endpoint Encryption for BitLocker

■ How your pre-encrypted system is currently configured

■ The existing authentication policy

Note: You are unlikely to know which BitLocker policy is enforced on your computer. You can tell which policy is enabled, based on how your current authentication method changes after Symantec Endpoint Encryption for BitLocker is installed.

Table 2 How your authentication changes after Symantec Endpoint Encryption for BitLocker is installed

Authentication policy Authentication method Authentication method on enforced on your system already present on your your system after policy is system enforced

On systems with TPM enabled:

TPM TPM + PIN TPM

TPM + Startup key TPM

TPM + PIN + Startup key TPM

TPM TPM Note: If TPM is not already present, then TPM is added. If TPM is already present, then it is retained.

USB startup key ■ TPM, or ■ USB startup key (External key)

Note: If TPM is available, then the authentication takes place through TPM. Only in the absence of TPM is the USB startup key used for authentication.

Numerical password ■ TPM, or ■ Numerical password

TPM + PIN TPM TPM + PIN

TPM + Startup key TPM + PIN

TPM + PIN + Startup key TPM + PIN Getting Started 13 About Symantec Endpoint Encryption for BitLocker

Table 2 How your authentication changes after Symantec Endpoint Encryption for BitLocker is installed (continued)

Authentication policy Authentication method Authentication method on enforced on your system already present on your your system after policy is system enforced

TPM + PIN TPM + PIN Note: If TPM + PIN are not already present, then TPM + PIN are added. If TPM + PIN are already present, then they are retained.

USB startup key ■ TPM + PIN, or ■ USB startup key

Numerical password ■ TPM + PIN, or ■ Numerical password

On systems with TPM disabled or where a TPM chip is not present:

Fall back to password policy is USB startup key ■ Password, or enabled on systems having ■ USB startup key Microsoft Windows 8 or later installed

Numerical password ■ Password, or ■ Numerical password

Password Password Note: If the associated password is not already present, then a password is added. If a password is already present, then it is retained.

Fall back to password policy is USB startup key USB startup key disabled on systems having Microsoft Windows 8 or later installed

Numerical password Numerical password Getting Started 14 About Symantec Endpoint Encryption for BitLocker

How using a BitLocker Recovery Key affects your authentication on a pre-encrypted BitLocker system On a system that is already encrypted with Microsoft BitLocker, there is a possibility that there are already existing BitLocker Recovery Keys for the volumes.

Note: When Symantec Endpoint Encryption for BitLocker is installed on this system, Symantec Endpoint Encryption for BitLocker creates a new BitLocker Recovery Key and sends this key to the server along with the existing recovery keys.

A BitLocker Recovery Key allows you to regain access to your encrypted computer if you forget your authentication credentials. Your authentication may change, following the use of a recovery key, as follows:

■ You call the help desk administrator and provide your BitLocker Recovery Key ID. The key may have already existed on your computer or it was created after Symantec Endpoint Encryption for BitLocker was installed. Once you regain access to your computer, you are prompted to reconfigure your password or PIN.

■ You do not call the help desk administrator and use your own copy of the recovery key. Once you regain access to your computer, you are not prompted to reconfigure your password or PIN.

Viewing the encryption status of the BitLocker client volumes Symantec Endpoint Encryption for BitLocker protects the data that are stored on your hard disk by encrypting it. Encryption is the process by which an algorithm renders data unreadable. Only those who possess the "key" can decrypt the data, thereby rendering it intelligible again. When you install Symantec Endpoint Encryption for BitLocker on a client computer using the install-time policy, based on the encryption policy configured by the administrator, a BitLocker Recovery Key is generated. When the client-server communication is established, Symantec Endpoint Encryption for BitLocker sends the BitLocker Recovery Key to the server, and then starts encrypting the volumes, that is the boot volume and the data volumes. You can continue to work normally during and after the encryption of the volumes. To view the encryption status of the BitLocker client volumes 1 On the Start menu, click All Programs > Symantec Endpoint Encryption > SEE Management Agent. 2 On the BitLocker tab, click Drives. 3 View the encryption status of the volumes. The status can be one of the following:

■ Encrypting Getting Started 15 About Symantec Endpoint Encryption for BitLocker

Indicates that the encryption of the volumes is not complete. Along with this status, the page also displays the percentage of volumes already encrypted.

■ Encrypted with a lock icon Indicates that the volumes are encrypted.

Note: If you have an Opal v2 compliant self-encrypting drive, there are four possible status combinations. An Opal drive that is Microsoft eDrive-compatible displays with a Drive Type of eDrive. Its status may be Hardware Encrypted or (software) Encrypted, depending on how the drive was provisioned. An Opal drive that is not Microsoft eDrive-compatible has no Drive Type specified and its status may be Hardware Encrypted or (software) Encrypted. The type of encryption does not affect how you work. If you have questions about Opal drives, contact your client administrator.

■ Encryption has been paused Indicates that the encryption of the volumes is paused. Along with this status, the page also displays the percentage of volumes already encrypted.

■ Decrypting Indicates that the decryption of the volumes is not yet complete. Along with this status, the page also displays the percentage of decryption remaining for the volumes.

■ Not Encrypted with an unlock icon Indicates that the volumes are not encrypted. This status also appears for a volume that was encrypted previously but now is fully decrypted. The Not Encrypted status also appears for a volume that has never been encrypted.

Note: If your disk was previously encrypted but is now decrypted, your administrator may have decrypted your disk remotely using the decryption policy.

■ Decryption has been paused Indicates that the decryption of the volumes is paused. Along with this status, the page also displays the percentage of decryption remaining for the volumes.

■ Locked Indicates that the data volumes are locked.

Ensuring regular communication with the server for the encrypted BitLocker clients For security reasons, your policy administrator may have configured check-in enforcement for your computer that is encrypted with Symantec Endpoint Encryption for BitLocker. This Getting Started 16 About Symantec Endpoint Encryption for BitLocker

enforcement locks out your computer in case it is lost or stolen and, therefore, fails to check in within a prescribed time interval. Use the Check In button when:

■ A lockout enforcement policy is in effect and lockout is imminent.

■ You are running your computer on a VPN, and your computer communicates intermittently with Symantec Endpoint Encryption Management Server.

■ Your administrator instructs you to click the Check In button during the warning period. When you click the Check In button, your client computer attempts to connect to Symantec Endpoint Encryption Management Server. When the communication is successful, the Last check in field is updated with the current date and time. If the lockout policy is enabled for your computer, the Next check in due by field value also is extended by a lockout period that your policy specifies. Any potential lockout is prevented. If your computer is locked, clicking Check In does not unlock it. Contact your Help Desk administrator to regain access to your locked out computer.

Note: If your computer is locked out and later if the client-server communication is established, the computer remains in the lockout state. Contact your Help Desk administrator to regain access to your locked out computer.

To view the check-in information 1 On the Start menu, click All Programs > Symantec Endpoint Encryption > SEE Management Agent. 2 On the BitLocker > Status tab, view the following information:

■ Next check in due by Provides the information about the next communication due date. A value in this field also indicates that the check-in policy is active for your client computer.

■ Last check in Provides the information about the last communication of the client computer with Symantec Endpoint Encryption Management Server.

Note: To establish communication with the server, on the BitLocker > Status tab, click Check In.

encrypted volume if you forget your PIN or password, or if a communication lockout is in effect because of your organization's policy settings. Client computers encrypted with Symantec Endpoint Encryption for BitLocker communicate with Symantec Endpoint Encryption Management Server to send status and recovery information to the server. For security reasons, your policy administrator might enforce a check-in policy to monitor your client computer through periodic contact with the server. If your client computer fails to communicate with the server within the prescribed time frame, the computer is locked out. When the lockout occurs, the computer remains in a pre-Windows state after restart. You can log on to the computer only with assistance from the help desk. The lockout, thereby, protects the data on your computer if the computer is lost or stolen. The administrative policies of Symantec Endpoint Encryption Management Server control the client check-in enforcement. Your policy administrator might enable communication lockout and specify a minimum contact period within which the client must check in to establish connection with Symantec Endpoint Encryption Management Server. The administrator can also specify a warning period during which the BitLocker client should notify you to communicate with the server. If you do not check in the client computer within the specified time frame, the client goes into a communication lockout state.

Note: After you regain access to your computer from a communication lockout, the check-in due date is extended by the same minimum lockout contact period as specified in the policy.

Accessing your system using a BitLocker Recovery Key If you have forgotten your PIN or password or if the computer is in a lockout state, you can use a BitLocker Recovery Key. To access your system using your BitLocker Recovery Key 1 Contact your help desk administrator. 2 Provide the BitLocker Recovery Key ID of your system from the BitLocker Recovery screen, and ask for the BitLocker Recovery Key. 3 Enter the BitLocker Recovery Key that your help desk administrator provides. 4 Press Enter to gain access to your volumes on your computer. 5 You are prompted to reconfigure your PIN or password.

Note: When a virtual system with Symantec Endpoint Encryption for BitLocker installed is locked out and resumes from Sleep mode, the BitLocker Recovery screen does not appear on preboot. You are directly navigated to the Windows logon screen. Once you log on, the BitLocker PIN, or password reconfiguration prompt does not appear. To regain access to your locked out system, restart or shutdown the system. Getting Started 18 About Symantec Endpoint Encryption for BitLocker

About loss of access to a volume encrypted for BitLocker client Symantec Endpoint Encryption secures your data so that you can gain access to the volume encrypted with Symantec Endpoint Encryption for BitLocker. You might lose access to your encrypted volume if you forget your PIN or password, or if a communication lockout is in effect because of your organization's policy settings. Client computers encrypted with Symantec Endpoint Encryption for BitLocker communicate with Symantec Endpoint Encryption Management Server to send status and recovery information to the server. For security reasons, your policy administrator might enforce a check-in policy to monitor your client computer through periodic contact with the server. If your client computer fails to communicate with the server within the prescribed time frame, the computer is locked out. When the lockout occurs, the computer remains in a pre-Windows state after restart. You can log on to the computer only with assistance from the help desk. The lockout, thereby, protects the data on your computer if the computer is lost or stolen. The administrative policies of Symantec Endpoint Encryption Management Server control the client check-in enforcement. Your policy administrator might enable communication lockout and specify a minimum contact period within which the client must check in to establish connection with Symantec Endpoint Encryption Management Server. The administrator can also specify a warning period during which the BitLocker client should notify you to communicate with the server. If you do not check in the client computer within the specified time frame, the client goes into a communication lockout state.

Note: After you regain access to your computer from a communication lockout, the check-in due date is extended by the same minimum lockout contact period as specified in the policy.