Skip to main content

Bitlocker Management for Windows

To create a BitLocker Management job and deploy it to the enrolled device(s) or group(s) remotely, follow these steps:

  1. On the SureMDM Web Console, navigate to  Jobs > New Job > Windows > Bitlocker Management.  
  2. In the Configure Job screen, enter a Job Name. The following options are available in the  Bitlocker management for Windows section:
  • Add - This option allows you to add the configurations for BitLocker Management
  • Delete - This option allows you to delete the job added in this section.
  • Modify - This option allows you to modify the existing job.

  1. In the BitLocker Management prompt, select one of the below options in the Configuration Type drop-down:

    a. Encryption Management: Select one of the options from the drop-down. 

    i. Encrypt OS Drive: Select this option to rotate the recovery key for the OS drive. Once this option is selected, please configure the below options as well:

  • Encrypt Used Space Only: This option will only encrypt used space when enabled. Else the full drive is encrypted.

  • Encryption Method: Select one of the options from the drop-down to choose the encryption method for OS drive encryption.

    • AES-CBC 128 bit
    • AES-CBC 256 bit
    • XTS-AES 128 bit
    • XTS-AES 256 bit
note

Device will be force restarted in 60 secs to complete the BitLocker Encryption process.

ii. Encrypt All Fixed Drives: Select this option to encrypt all Fixed drives. Once this option is selected, please configure the below options as well:

  • Password: Enter the Encryption password for the selected fixed drive(s).
note

The drive will stay unlocked without the password set if the OS drive is encrypted only.

  • Encrypt Used Space Only: This option will only encrypt used space when enabled. Else the full drive is encrypted.
  • Encryption Method: Select one of the options from the drop-down to choose the encryption method for OS drive encryption:
    • AES-CBC 128 bit
    • AES-CBC 256 bit
    • XTS-AES 128 bit
    • XTS-AES 256 bit

b. Recovery Key Rotation Management: Select one of the options from the drop-down. 

  • Enable Key Rotation for OS Drive: Select this option to rotate the recovery key for the OS drive. 
  • Enable Key Rotation for All Fixed Drives: Select this option to rotate the recovery key for All encrypted Fixed drives. 
  • Periodicity: Select the frequency to automatically rotate the BitLocker Recovery Key for the specified drive.
note

To rotate the recovery key, the drive should be fully encrypted.

c. Disable Encryption: Select one of the options from the drop-down.

i. Disable Encryption for OS Drive: Select this option to disable encryption for OS drive.

note

If your fixed drives were encrypted without passwords alongside the OS drive in the past, then consider including them in the decryption job; otherwise, the decryption of the OS drive might fail.

ii. Disable Encryption for All Fixed Drives: Select this option to disable encryption for all Fixed drives. 

note

To disable encryption on a device, please ensure that the device is fully encrypted and unlocked.

The newly created job will be listed in the Jobs List section. 

  1. Go back to the Home tab and select the Windows device(s) or group(s).
  2. Click Apply to launch the Apply Job/Profile To Device prompt.
  3. Select the job under All Jobs/Profiles.
  4. Click Apply in the Apply/Profile To Device prompt.