BitLocker by Microsoft is an easy-to-use, encryption program built into Windows. It is an effective tool that can encrypt the entire PC hard drive, including the system drive, any physical drive, or even a virtual hard drive (VHD) of a Windows 10 PC. BitLocker also prevents unauthorized access to the system and protects PC data in an event of theft or loss of the device.
Steps to enable BitLocker remotely using SureMDM
1. Login to SureMDM Web Console.
2. Go to Profiles.
3. Select Windows and click Add.
4. Select BitLocker from the list of profiles and click Configure.
5. Give the profile a name.
6. Select Require from Encrypt Devices dropdown menu.
7. If you wish to encrypt the storage card of Windows 10 mobiles, select Require from Encrypt Storage Card dropdown menu.
8. Under BitLocker base settings, choose the appropriate options for following settings:
- Warning For Other Disk Encryption – Allows you to disable the warning prompt for other disk encryption on devices.
- Configure Encryption Methods – Defines the encryption methods to be used for specific drive types. If Not Configured, the BitLocker wizard will ask the user for the encryption method to be used on a drive type. The encryption method for all drives defaults to XTS-AES 128 bit while the encryption method for removable drives defaults to AES-CBC 128-bit. If On, BitLocker uses the encryption method specified in the policy. Also, if On, these extra settings appear. Choose the default encryption method for each drive type.
- Operating system drive
- Fixed drive
- Removable drive
9. Under BitLocker OS drive settings, choose appropriate options for following settings:
- Additional Authentication at Startup – Defines the additional authentication required during device startup. It also specifies whether BitLocker should be allowed on devices that don’t have a TPM (Trusted Platform Module Technology Overview) chip. If Not Configured, devices without a TPM chip can not use BitLocker encryption. If On, the following extra settings appear.
- Minimum PIN Length – The minimum length of the TPM startup PIN.
- OS Drive Recovery – If the unlock step fails, BitLocker prompts the user for the configured recovery key. This setting configures the operating system drive recovery options available to users if they don’t have the unlock password or USB startup key.
- Pre-Boot Recovery Message and URL – specifies whether BitLocker shows a customized message and URL on the recovery screen. If On, the following extra settings appear. If Not Configured, the default recovery message and URL display.
- Use default recovery message and URL
- Use empty recovery message and URL
- Use custom recovery message
- Use custom recovery URL
10. Under BitLocker fixed data-drive settings, choose from the following:
- Write Access To Fixed Data – Drive Not Protected By BitLocker Fixed Drive Recovery – If not Blocked, users can write to fixed drives only when those drives are encrypted with BitLocker.
11. Under BitLocker removable fixed data-drive settings, choose from the following:
- Write Access To Removable Data – Drive Not Protected By BitLocker – If On, users can write to removable drives only when those drives are encrypted with BitLocker. Configure this setting as per your organization’s policy to allow write access on other organization removable drives.
12. Once the configuration is complete, click Save.
13. Now, click on Home.
14. Select the desired Windows 10 device from the device list and click Apply.
15. Select the saved Profile and click Apply.
Bitlocker with the desired settings will be pushed to the selected Windows 10 device. The end user will get a prompt to enable BitLocker encryption on their device. They can choose to either accept or ignore the request.
If you would like to try a convenient way to push BitLocker encryption remotely on your Windows 10 devices, try SureMDM today!