BitLocker Profile
For enterprise-owned devices, BitLocker encryption holds particular significance in preventing data breaches. With the assistance of SureMDM, administrators can remotely activate BitLocker encryption on Windows 10 devices. This capability provides a robust layer of security, ensuring that sensitive data remains secure and inaccessible to unauthorized parties.
To enable Bit Locker on the enrolled device(s), follow these steps:
Navigate to SureMDM Web Console > Profiles > Windows > Add > BitLocker > Configure.
Enter a Profile Name.
Configure BitLocker settings and click Save.
| Settings | Description |
|---|---|
| Encrypt Devices | Select Require will prompt the users to enable BitLocker encryption on Windows 10 devices. |
| Encrypt Storage Card (Windows Phone Only) | Select Require** will prompt the users to enable BitLocker encryption on Windows Phone Storage Card. |
| BitLocker base Settings | |
| Allow Encryption For Standard User | Select this option to allow encryption for standard users. |
| Warning for other Disk Encryption | Select Block to disable the warning prompt for other disk encryption. |
| Configure Encryption Methods | Defines the encryption methods to be used for specific drive types. If the following options are selected: - Not Configured** - The BitLocker wizard will ask the user for the encryption method to be used on a drive type. - Enable – Following settings will appear and choose the default encryption method for each drive type: Encryption for Operating System Drives – AES-CBC 128-bit Encryption for Fixed Data-Drives – XTS-AES 128-bit Encryption for Removable Data-Drives - AES-CBC 128-bit |
| BitLocker OS drive Settings | |
| Additional Authentication at Startup | Defines the additional authentication required during device startup. It also specifies whether BitLocker should be allowed on devices that don’t have a TPM (Trusted Platform Module Technology Overview) chip. If the following options are selected: - Not Configured - Devices without a TPM chip cannot use BitLocker encryption. - Require - Following Settings will appear and choose an appropriate option from the drop-down menu: BitLocker with Non-Compatible TPM Chip Compatible TPM Startup Compatible TPM StartUp PIN Compatible TPM Startup Key Compatible TPM Startup Key and PIN |
| Minimum Pin Length | The minimum length of the TPM startup PIN. On selecting Enable, a new setting will appear to enter the Minimum characters for TPM startup PIN. |
| OS Drive Recovery | If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key. Following settings will appear on selecting Enable option: 1. Certificate-Based Data Recovery Agent User – Allow or deny certificate-based data recovery agent. 2. User Creation of Recovery Password – Allow or deny the users to use recovery password. 3. User creation of recovery Key – Allow or deny the users to use recovery key. 4. Recovery Options in BitLocker Setup Wizard – Show or hide the recovery options in BitLocker Setup Wizard. 5. Save BitLocker Recovery Information To Azure Active Directory – Allows to save the recovery options to Azure Active Directory domains. 6. BitLocker Recovery Information Stored to Azure Active Directory – Allows to store the BitLocker recovery password or BitLocker recovery password and key package on Azure Active Directory domain. 7. Store Recovery Information in Azure Active Directory Before Enabling Bit Locker – Prevent users from enabling BitLocker unless the device is domain-connected and store the backup of BitLocker recovery information in Azure Active Directory domain. |
| Pre-Boot Recovery Message and URL | Specifies whether BitLocker shows a customized message and URL on the recovery screen. If the following options are selected: - Not Configured -The default recovery message and URL will display. - Enable – Following settings will appear. Choose the appropriate option: Use Default recovery message and URL Use empty recovery message and URL Use custom recovery message Use custom recovery URL Note: On selecting Use custom recovery message or Use custom recovery URL, a new field will appear to enter the desired recovery message or URL. |
| BitLocker fixed data-drive settings | |
| Enforce Drive Encryption Type On Fixed Data-Drives | Select this option to configure the encryption type. |
| Write Access to Fixed Data-Drive Not Protected By BitLocker Fixed Drive Recovery | If not Blocked, users can write to fixed drives only when those drives are encrypted with BitLocker. |
| Configure Fixed Drive Recovery | Configures recovery options to users for a BitLocker encrypted fixed drive. On selecting Enable, following settings will appear to configure. For settings descriptions, see OS Drive Recovery option in this table: - Data Recovery Agent - User Creation of Recovery Password - User Creation of Recovery Key - Recovery Options in the BitLocker Setup Wizard - Save BitLocker Recovery Information To Azure Active Directory - BitLocker Recovery Information Stored To Azure Active Directory - Store Recovery Information In Azure Active Directory Before Enabling BitLocker |
| BitLocker Removable fixed data-drive settings | |
| Write Access to Removable Data-Drive Not Protected By BitLocker | If the following options are selected: - Not Configured- Users can write to fixed drives only when those drives are encrypted with BitLocker. - Block - Users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting as per the organization’s policy to allow write access on other organization’s removable drives. |
The newly created profile will be listed in the Profiles section.
Go back to the Home tab and select the Windows device(s) or group(s).
Click Apply to launch the Apply Job/Profile To Device prompt.
Select the profile under All Jobs/Profiles.
Click Apply in the Apply/Profile To Device prompt.