Configure BitLocker Profile (Windows)

BitLocker by Microsoft is an easy-to-use, encryption program built in Windows. It is an effective tool that can encrypt the entire PC hard drive, including the system drive, any physical drive, or even a virtual hard drive (VHD) of a Windows 10 PC. BitLocker also prevents unauthorized access to the system and protects PC data in an event of theft or loss of the device

In case of enterprise-owned devices, admin can enable BitLocker encryption to prevent data breaches. SureMDM allows BitLocker to be remotely enabled on Windows 10 devices.

To enable Bit Locker on the enrolled device(s), follow these steps:

1. Navigate to SureMDM Web Console > Profiles > Windows > Add > BitLocker > Configure.

2. Enter a Profile Name.

3. Configure BitLocker settings and click Save.

Settings	Description
Encrypt Devices	Select Require will prompt the users to enable BitLocker encryption on Windows 10 devices.
Encrypt Storage Card (Windows Phone Only)	Select Require will prompt the users to enable BitLocker encryption on Windows Phone Storage Card.
BitLocker base Settings
Warning for other Disk Encryption	Select Block to disable the warning prompt for other disk encryption.
Configure Encryption Methods	Defines the encryption methods to be used for specific drive types. If the following options are selected: Not Configured - The BitLocker wizard will ask the user for the encryption method to be used on a drive type. Enable – Following settings will appear and choose the default encryption method for each drive type: Encryption for Operating System Drives – AES-CBC 128-bit Encryption for Fixed Data-Drives – XTS-AES 128-bit Encryption for Removable Data-Drives - AES-CBC 128-bit
BitLocker OS drive Settings
Additional Authentication at Startup	Defines the additional authentication required during device startup. It also specifies whether BitLocker should be allowed on devices that don’t have a TPM (Trusted Platform Module Technology Overview) chip. If the following options are selected: Not Configured - Devices without a TPM chip cannot use BitLocker encryption. Require - Following Settings will appear and choose an appropriate option from the drop-down menu: BitLocker with Non-Compatible TPM Chip Compatible TPM Startup Compatible TPM StartUp PIN Compatible TPM Startup Key Compatible TPM Startup Key and PIN
Minimum Pin Length	The minimum length of the TPM startup PIN. On selecting Enable, a new setting will appear to enter the Minimum characters for TPM startup PIN.
OS Drive Recovery	If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key. Following settings will appear on selecting Enable option: 1. Certificate-Based Data Recovery Agent User – Allow or deny certificate-based data recovery agent. 2. User Creation of Recovery Password – Allow or deny the users to use recovery password. 3. User creation of recovery Key – Allow or deny the users to use recovery key. 4. Recovery Options in BitLocker Setup Wizard – Show or hide the recovery options in BitLocker Setup Wizard. 5. Save BitLocker Recovery Information To Azure Active Directory – Allows to save the recovery options to Azure Active Directory domains. 6. BitLocker Recovery Information Stored to Azure Active Directory – Allows to store the BitLocker recovery password or BitLocker recovery password and key package on Azure Active Directory domain. 7. Store Recovery Information in Azure Active Directory Before Enabling Bit Locker – Prevent users from enabling BitLocker unless the device is domain-connected and store the backup of BitLocker recovery information in Azure Active Directory domain.
Pre-Boot Recovery Message and URL	Specifies whether BitLocker shows a customized message and URL on the recovery screen. If the following options are selected: Not Configured -The default recovery message and URL will display. Enable – Following settings will appear. Choose the appropriate option: Use Default recovery message and URL Use empty recovery message and URL Use custom recovery message Use custom recovery URL Note: On selecting Use custom recovery message or Use custom recovery URL, a new field will appear to enter the desired recovery message or URL.
BitLocker fixed data-drive settings
Write Access to Fixed Data-Drive Not Protected By BitLocker Fixed Drive Recovery	If not Blocked, users can write to fixed drives only when those drives are encrypted with BitLocker.
Configure Fixed Drive Recovery	Configures recovery options to users for a BitLocker encrypted fixed drive. On selecting Enable, following settings will appear to configure. For settings descriptions, see OS Drive Recovery option in this table: Data Recovery Agent User Creation of Recovery Password User Creation of Recovery Key Recovery Options in the BitLocker Setup Wizard Save BitLocker Recovery Information To Azure Active Directory BitLocker Recovery Information Stored To Azure Active Directory Store Recovery Information In Azure Active Directory Before Enabling BitLocker
BitLocker Removable fixed data-drive settings
Write Access to Removable Data-Drive Not Protected By BitLocker	If the following options are selected: Not Configured- Users can write to fixed drives only when those drives are encrypted with BitLocker. Block - Users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting as per the organization’s policy to allow write access on other organization’s removable drives.

The newly created profile will be listed in the Profiles section.

4. Go back to Home tab and select the Windows device(s) or group(s).

5. Click Apply to launch the Apply Job/Profile To Device prompt.

6. In the Apply Job/Profile To Device prompt, select the created profile and click Apply.