BitLocker by Microsoft is an easy-to-use encryption program built into Windows. It is an effective tool that can encrypt the entire PC hard drive, including the system drive, any physical drive, or even the virtual hard drive (VHD) of a Windows PC. BitLocker also prevents unauthorized access to the system and protects PC data in an event of a device being lost or stolen.
On enterprise-owned devices, IT departments can enable BitLocker encryption to prevent data breaches. SureMDM by 42Gears allows BitLocker to be remotely enabled on Windows devices.
Purpose
The purpose of this knowledge article is to help the admin set up BitLocker encryption on SureMDM-enrolled devices remotely to encrypt device data and address the threats of data theft or exposure from lost or stolen devices.
Prerequisites
Windows devices must be EMM or Dual enrolled in SureMDM.
Steps
1. Login to the SureMDM Web Console.
2. Go to Profiles.
3. Select Windows and click Add.
4. Select BitLocker from the list of profiles and click Configure.
5. Give the profile a name.
6. Select Require from the Encrypt Devices dropdown menu. (NOTE: This prompts the user to enable Bitlocker encryption on a Windows phone, desktop, or tablet.)
7. If you wish to encrypt the storage card of Windows devices, select Require from the Encrypt Storage Card dropdown menu. (NOTE: This option is only available for Windows mobile devices.)
8. Under BitLocker’s base settings, toggle the following settings on or off based on your preferences:
- Allow Encryption for Standard Users: If this option is configured, it allows Admin to enforce the Bitlocker policy on a non-admin or standard user who is currently logged in
- Warning for Other Disk Encryption: Setting this to Block allows you to disable the warning prompt for other disk encryption on devices
- Configure Encryption Methods – This section defines the encryption methods to be used for specific drive types. If not configured (i.e., this setting is off), the BitLocker wizard will ask the user for the encryption method to be used on a drive type. The encryption method for all drives defaults to AES-CBC 128-bit, while the encryption method for fixed data drives defaults to XTS-AES 128-bit. If the encryption method is configured, BitLocker uses the encryption methods you specified. .
9. Under BitLocker’s OS drive settings, choose the appropriate options for the following settings:
- Additional Authentication at Startup – This defines the additional authentication required during device startup. It also specifies whether BitLocker should be allowed on devices that don’t have a TPM (Trusted Platform Module Technology Overview) chip. If this setting is off, devices without a TPM chip cannot use BitLocker encryption. If on, settings to configure startup settings with TPM appear..
- Enforce Drive Encryption Type on OS Drives: If enabled, the option to choose Encryption Type will appear, where admins can choose ‘Allow User To Choose’, ‘Full Encryption, and ‘Used Space Only Encryption’ based on preferences.
- Minimum PIN Length – The minimum length of the TPM startup PIN.
- Configure OS Drive Recovery – If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key. Enable subsequent settings based on preferences.
- Pre-Boot Recovery Message and URL – specifies whether BitLocker shows a customized message and URL on the recovery screen. If On, the following extra settings appear. If Not Configured, the default recovery message and URL display.
- Use default recovery message and URL
- Use empty recovery message and URL
- Use custom recovery message
- Use custom recovery URL
10. Under BitLocker fixed data-drive settings, toggle the following setting:
- Enforce Drive Encryption Type on Fixed Data Drives: If enabled, the option to choose encryption type will appear, where admins can choose ‘Allow User To Choose’, ‘Full Encryption’, and ‘Used Space Only Encryption’ based on preferences.
- Write Access to Two Fixed Data Drives Not Protected by BitLocker: If not blocked, users can write to fixed drives only when those drives are encrypted with BitLocker.
- Configure Fixed Drive Recovery: If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key. Enable subsequent settings based on preferences.
11. Under BitLocker removable fixed data-drive settings, toggle the following setting:
- BitLocker removable fixed data-drive settings: If enabled, users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting to align with your organization’s policy about writing access to other removable drives.
- Once the configuration is complete, click Save.
- Now, click on Home.
- Select the desired Windows device from the device list and click Apply.
- Select the saved profile and click Apply.
Bitlocker (with the desired settings) will be pushed to the selected Windows device. The end user will be prompted to enable BitLocker encryption on their device. They can choose to either accept or ignore the request.
For BitLocker silent encryption without user interaction, refer to this link
If you want to try a convenient way to push BitLocker encryption remotely on your Windows devices, try SureMDM today!
Need help?