# Bitlocker Policy Association & Deployment

The policies created in the BitLocker module must be associated with specific targets for deployment. To know more about creating and configuring BitLocker policies, [refer to this page](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-policy-creation.html). This document outlines the steps for creating and configuring BitLocker policies, as well as automating BitLocker deployment.

Once a policy is created, associate it with specific targets. Supported target types include static computer groups (CG), static unique CG, and dynamic CG. The new systems included under Dynamic CGs will automatically be encrypted according to the deployed policy, ensuring any new system that matches the criteria is included without manual intervention. To learn more about custom groups and their configuration, [refer to this page](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/creating_custom_groups.html). Kindly follow these steps to deploy Bitlocker policies:

1. Navigate to **Policy Deployment** under the BitLocker Management module in the Endpoint Central web console.
2. Click **Associate Policy**.

   ![Bitlocker Policy Deployment](https://www.manageengine.com/products/desktop-central/images/bitlocker-policy-deployment.png)

3. Select the custom group for BitLocker policy deployment.  
   **To automate BitLocker deployment**, select **All Computers Group**.

   ![Automatic Encryption Select CG](https://www.manageengine.com/products/desktop-central/images/bitlocker-automatic-encryption-select-custom-group.png)

   Once a new computer is added to the network, it automatically joins this custom group, enabling automatic BitLocker deployment.

4. Choose the BitLocker policy to associate with the group. Only one policy can be associated per group.

   ![Automatic Encryption Select Policy](https://www.manageengine.com/products/desktop-central/images/bitlocker-automatic-encryption-select-policy.png)

5. Click **Deploy**. The policy will be deployed during the next refresh cycle (90 minutes). Selecting **Deploy Immediately** will deploy the policy instantly.

   **Point to note:** There is an upper limit of 200 computers for this option.

After deployment, you can view the list of associated computers and their policy deployment status. This section also includes remarks or reasons for any failures. Ensure that encryption is either in progress or fully completed.

You can check the encryption status for each machine in the **Managed Computers section**.

![Managed Computers](https://www.manageengine.com/products/desktop-central/images/bitlocker-managed-computers.png)

If a machine remains fully decrypted even after successful policy deployment, it may be due to two reasons: The encryption setting requires user input of a PIN or passphrase, or it is a non-TPM machine where a passphrase is mandatory. Encryption failures may also arise from environmental issues, leading us to the next section, Encryption Pre-requisites.

In the [encryption pre-requisites section](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-pre-requisites.html), you can view machines that cannot proceed with encryption due to errors such as BIOS mode incompatibility, WMI failures, or TPM ownership issues. Each case is documented, with remediation steps provided. The machines are also differentiated based on the errors.

The encryption process begins only once the password has been set. The **criteria for creating a password** is as follows:

1. **TPM and PIN**  
   Length: 6–20 characters  
   Complexity:
   - Must contain only digits (0–9).
   - Must not contain a continuous sequence of 3 or more digits (e.g., 123, 789).
   - Must not contain a repetitive sequence of length 2 (e.g., 1212, 2222).

2. **TPM and Enhanced PIN**  
   Length: 6–20 characters  
   Complexity:
   - Must include at least 1 uppercase letter, 1 lowercase letter, 1 digit, and 1 special character.
   - Must not contain a continuous sequence of 3 or more characters, case-insensitive (e.g., 123, abc, xYz).
   - Must not contain a repetitive sequence of length 2, case-insensitive (e.g., 1212, 2222, abab, yZyz).

3. **Passphrase**  
   Length: 8–255 characters  
   Complexity:
   - Must include at least 1 uppercase letter, 1 lowercase letter, 1 digit, and 1 special character.
   - Must not contain a continuous sequence of 3 or more characters, case-insensitive (e.g., 123, abc, xYz).
   - Must not contain a repetitive sequence of length 2, case-insensitive (e.g., 1212, 2222, abab, yZyz).

![Password Creation](https://www.manageengine.com/products/desktop-central/help/images/bitlocker-password.png)

**TPM+PIN password creation**

![Encryption Process](https://www.manageengine.com/products/desktop-central/help/images/encryption-process.png)

Once encrypted, the password has to be input on every bootup.

![BitLocker Login Prompt](https://www.manageengine.com/products/desktop-central/help/images/bitlocker-login-prompt.png)

If you have any further questions, please refer to our [Frequently Asked Questions](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-faq.html#deployfaq) section for more information.