BitLocker by Microsoft is an easy-to-use encryption program built into Windows. It is an effective tool that can encrypt the entire PC hard drive, including the system drive, any physical drive, or even the virtual hard drive (VHD) of a Windows PC. BitLocker also prevents unauthorized access to the system and protects PC data in the event of a device being lost or stolen.
On enterprise-owned devices, IT departments can enable BitLocker encryption to prevent data breaches. SureMDM by 42Gears allows BitLocker to be remotely enabled on Windows devices.
The purpose of this knowledge article is to help the admin set up silent BitLocker encryption on SureMDM devices remotely to encrypt device data and address the threats of data theft or exposure from lost or stolen devices.
Windows/Microsoft level requirements:
- The device must be AzureAD-joined or hybrid AzureAD-joined and enrolled via SureMDM dual enrollment.
- Devices must contain at least the TPM (Trusted Platform Module) 1.2 version. (To verify the TPM version refer: https://knowledgebase.42gears.com/article/how-to-verify-tpm-version-for-windows-machines-to-support-bitlocker-encryption/ )
- The BIOS mode must be set to Native UEFI only.
- Windows Recovery Environment (WinRE) must be enabled on devices.
- The hard disk must be partitioned into an operating system drive formatted with NTFS and a system drive of at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.
- Secure Boot state is ON.
SureMDM level requirements:
- Login to the SureMDM Web Console.
- Go to Profiles.
- Select Windows and click Add.
- Select BitLocker from the list of profiles and click Configure.
- Give the profile a name.
- Under BitLocker’s base settings and BitLocker OS drive settings, toggle the following settings to the below-recommended values:
- Encrypt Devices – Require
- Allow Encryption For Standard User – Enable
- Warning For Other Disk Encryption – Block
- Configure Encryption Methods – Enable
- Encryption For Operating System Drives – Select a setting to be in line with your organization’s policy
- Encryption For Fixed Data Drives – Select a setting to be in line with your organization’s policy
- Encryption For Removable Data Drives – Select a setting to be in line with your organization’s policy
- Additional Authentication At Startup – Not Configured
- Enforce Drive Encryption Type On OS Drives – Enable
- Encryption Type
- Full disk or Used Space-only encryption
- Encryption will be initiated based on device’s modern standby capabilities of the device
- Refer to full-disk vs used-space-only-encryption – For more details
- Minimum PIN Length – Not Configured
- User Creation Of Recovery Password – Require 48-digit recovery password
- User Creation Of Recovery Key – Do not allow a 256-bit recovery key
7. Under BitLocker fixed data-drive settings, replicate the above settings based on your preferences.
8. Under BitLocker removable fixed data-drive settings, toggle the following setting:
- BitLocker removable fixed data-drive settings If enabled, users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting to align with your organization’s policy about writing access to other organization removable drives.
9. Once the configuration is complete, click save.
10. Now, click on Home.
11. Select the desired Windows device from the device list and click Apply.
12. Select the saved profile and click Apply.
NOTE: To verify encryption status, refer to https://knowledgebase.42gears.com/article/how-to-verify-bitlocker-encryption-status-and-recovery-key-and-id-for-windows-10-2/.
BitLocker (with the desired settings) will be pushed to the selected Windows device. Silent encryption on the device will be initiated if all prerequisites are met, and recovery keys will be automatically uploaded to the SureMDM and Azure AD consoles.
For BitLocker Silent encryption using SureMDM Run Scripts refer to https://knowledgebase.42gears.com/article/how-to-enable-silent-bitlocker-encryption-using-suremdm-run-scripts/