BitLocker by Microsoft is an easy-to-use encryption program built into Windows. It is an effective tool that can encrypt the entire PC hard drive, including the system drive, any physical drive, or even the virtual hard drive (VHD) of a Windows 10 PC. BitLocker also prevents unauthorized access to the system and protects PC data in an event of a device being lost or stolen.
Steps to enable BitLocker remotely using SureMDM
1. Login to the SureMDM Web Console.
2. Go to Profiles.
3. Select Windows and click Add.
4. Select BitLocker from the list of profiles and click Configure.
5. Give the profile a name.
6. Select Require from the Encrypt Devices dropdown menu.
7. If you wish to encrypt the storage card of Windows 10 devices, select Require from the Encrypt Storage Card dropdown menu.
8. Under BitLocker’s base settings, toggle the following settings on or off based on your preferences:
- Warning For Other Disk Encryption – Deactivating this allows you to disable the warning prompt for other disk encryption on devices.
- Configure Encryption Methods – Defines the encryption methods to be used for specific drive types. If Not Configured (i.e. this setting is Off), the BitLocker wizard will ask the user for the encryption method to be used on a drive type. The encryption method for all drives defaults to XTS-AES 128-bit while the encryption method for removable drives defaults to AES-CBC 128-bit. If On, BitLocker uses the encryption methods you specified. Also, if this setting is On, these extra settings (operating system drive, fixed drive, removable drive), and you will need to choose the default encryption methods for each drive type.
9. Under BitLocker’s OS drive settings, choose the appropriate options for following settings:
- Additional Authentication at Startup – Defines the additional authentication required during device startup. It also specifies whether BitLocker should be allowed on devices that don’t have a TPM (Trusted Platform Module Technology Overview) chip. If this setting is Off, devices without a TPM chip can not use BitLocker encryption. If On, the following extra settings appear.
- Minimum PIN Length – The minimum length of the TPM startup PIN.
- OS Drive Recovery – If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key.
- Pre-Boot Recovery Message and URL – specifies whether BitLocker shows a customized message and URL on the recovery screen. If On, the following extra settings appear. If Not Configured, the default recovery message and URL display.
- Use default recovery message and URL
- Use empty recovery message and URL
- Use custom recovery message
- Use custom recovery URL
10. Under BitLocker fixed data-drive settings, toggle the following setting:
- Write Access To Fixed Data – Drive Not Protected By BitLocker Fixed Drive Recovery – If not Blocked, users can write to fixed drives only when those drives are encrypted with BitLocker.
11. Under BitLocker removable fixed data-drive settings, toggle the following setting:
- Write Access To Removable Data – Drive Not Protected By BitLocker – If On, users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting to be in line with your organization’s policy about writing access on other organization removable drives.
12. Once the configuration is complete, click Save.
13. Now, click on Home.
14. Select the desired Windows 10 device from the device list and click Apply.
15. Select the saved profile and click Apply.
Bitlocker (with the desired settings) will be pushed to the selected Windows 10 device. The end user will get a prompt to enable BitLocker encryption on their device. They can choose to either accept or ignore the request.
If you would like to try a convenient way to push BitLocker encryption remotely on your Windows 10 devices, try SureMDM today!