Hexnode’s global user conference is set to raise the roof.

Register Now
30 DAY FREE TRIAL

No Search Results

No Search Results

30 DAY FREE TRIAL
  1. Help Center
  2. Managing Windows 10 Devices
  3. Security

Category filter

How to Manage BitLocker?

BitLocker is Microsoft’s built-in full volume encryption tool for Windows PC that enforces encryption on system drives, fixed data drives, and removable drives for data protection. BitLocker encryption helps prevent unauthorized access to data on lost or stolen devices by encrypting the entire Windows operating system volume on the hard disk and verifying the boot process integrity. When used in conjunction with TPM versions 1.2 and above, BitLocker can validate system files and boot activity. Hexnode UEM enables you to set up and manage BitLocker policy to help you configure encryption and recovery settings on Windows 10 PC.

Notes:

  • Supported on Windows 10 Pro (v1809+), Enterprise and Education editions.
  • The TPM is a microchip added to the machine that runs an authentication check on PC’s hardware, software, and firmware. However, BitLocker encryption is also possible on systems that do not have a TPM, but the user will be prompted to plug in the BitLocker USB key every time the system boots.

Jump To

Configure BitLocker encryption with Hexnode UEM


  1. Log in to your Hexnode MDM portal > Navigate to Policies tab > Click on New Policy to create a new one or click on any policy to edit an existing one > Enter the Policy Name and Description in the provided fields.
  2. Navigate to Windows > Select BitLocker under Security > Click on Configure.
  3. Configure BitLocker settings.
BitLocker Settings Description
Prompt to encrypt storage card Check this option to prompt users to enable storage card encryption on the device.

Note:


Supported only on Windows 10 Mobile and Mobile Enterprise editions.
Prompt for device encryption Check this option to prompt users to encrypt the OS drive.

Manage Windows Bitlocker encryption with Hexnode MDM

Note:


You cannot revert the action once encrypted.
Configure encryption methods for disk drives Select either Enable or Disable to configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker.

BitLocker uses the default encryption method of AES CBC 128-bit when this option is either Disabled or not configured.

Note:


Changing the encryption method has no effect, if the drive is already encrypted, or if encryption is in progress.
Configure encryption methods for disk drives
Settings Description
Encryption method for operating system drive Select the encryption method for system drives from AES CBC 128, AES CBC 256, XTS-AES 128, XTS-AES 256(Default).

Note:


XTS-AES algorithm is a new disk encryption mode introduced in Windows10 and is recommended for an operating system drive.

Encryption method for fixed data drives Select the encryption method for fixed drives from AES CBC 128, AES CBC 256, XTS-AES 128, XTS-AES 256 (Default).

Note:


XTS-AES algorithm encryption method is considered the best for fixed drives.

Encryption method for removable drives Select the encryption method for removable drives from AES CBC 128, AES CBC 256(Default), XTS-AES 128, XTS-AES 256.

Note:


For removable drives, you should use AES CBC 128 or AES CBC 256 if the drive will be used in other devices that are not running Windows 10, version 1511 or later.

Configure authentication when the computer starts up Select the option Enable/ Disable to configure whether authentication is required each time the computer starts.

This option is set to Select default value when it is either Disabled or not configured.
Configure authentication when the computer starts up
Settings Description
Allow BitLocker without a Trusted Platform Module (TPM) Check whether your device has a compatible TPM (more info).

Select the option Allow to enable users to use BitLocker for devices without a compatible TPM.

This option is set to Select default value when it is either Disallowed or not configured.

Note:


For systems that do not have a TPM, a startup key is required. Startup key is stored in a USB flash drive.

Authenticate with TPM startup key Select the option Required/ Optional to configure authentication with TPM startup key.

By default, authentication with TPM startup key is set to Disallow.
Authenticate with TPM startup PIN Select the option Required/ Optional to configure authentication with TPM startup PIN.

By default, authentication with TPM startup PIN is set to Disallow.
Authenticate with TPM startup key and PIN Select the option Required/ Optional to configure authentication with both TPM startup key and PIN.

By default, authentication with TPM startup key and PIN is set to Disallow.
Enable TPM during startup Choose whether TPM chip is Required/ Optional during startup.

By default, the option is set to Disallow.

Minimum length for BitLocker startup PIN Enter the minimum length for the BitLocker startup PIN.

You can set a value in the range 6 (default) – 20.
Configure pre-boot recovery message Choose either the option Show default recovery message or URL or Show custom recovery message (more info) and URL to configure a recovery message and URL on the pre-boot recovery screen to assist customers in recovering their key.

Choose the option Do not show any message or URL if you do not want to set up a pre-boot recovery message.

This option is set to Select default value when it is not configured.

Note:


On choosing the option Show default recovery message and URL, the following message and URL will be displayed on the pre-boot recovery screen:
Enter the recovery key for this drive.

For more information on how to retrieve this key:

https://support.microsoft.com/en-gb/help/4026181/windows-10-find-my-bitlocker-recovery-key
Configure recovery options for system drives Enable the option to recover the encrypted system drives in the absence of the required startup key information.
Configure recovery options for system drives
Settings Description
Use data recovery agents with BitLocker-enabled OS drive Check this option to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected operating system drives.

Notes:
  • Data recovery agents are individuals who can use their credentials to unlock the drive.
  • The OS drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
  • To use DRA for BitLocker, it must be added from the Public Key Policies item to either the Group Policy Management Console or the Local Group Policy Editor.
Generate recovery password Check this option to enable users to generate a 48-digit recovery password.
Generate recovery key Enable the option so that the system will generate a 256-bit recovery key and is stored in an external USB device.
Hide recovery options from BitLocker setup wizard Tick this box to prevent users from specifying recovery options when they enable BitLocker on a drive through a setup wizard.
Save BitLocker info on OS drives to Azure AD DS Check this option to store the BitLocker recovery information on OS drives to Azure Active Directory Domain Services.

Note:
  • The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in the Active Directory.
  • If Enable TPM during startup is set as ‘Required’ and the recovery information is generated, it is advised to save BitLocker info to Azure AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.
Select recovery information to be stored in Azure AD DS Select the value Store recovery passwords and key packages or Store recovery passwords only from the drop-down to configure the type of recovery information to be stored in Azure AD DS.

Note:


Key packages are secured by one or more recovery passwords, and it can help perform specialized recovery even when the disk is damaged or corrupted.
The key packages cannot be used without the corresponding recovery password.

Disable BitLocker until OS drive recovery information is stored in Azure AD DS Check this box to disable BitLocker until recovery information is stored to Azure AD DS.

Configure recovery options for fixed drives Check this option to recover the encrypted fixed drives in the absence of required credentials.
Configure recovery options for fixed drives
Settings Description
Use data recovery agents with BitLocker-protected fixed data drive Check this option to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected fixed drives.
Generate recovery password Check this option to enable users to generate a 48-digit recovery password.
Generate recovery key Check this option if you want the system to auto generate a 256-bit recovery key. This key should be stored in an external USB drive.
Show recovery options in BitLocker setup wizard Enable the option to show fixed drives recovery options on the setup wizard.
Save BitLocker info on fixed data drives to Azure AD DS Enable this field to store the BitLocker recovery information on fixed data drives to Azure Active Directory Domain Services.
Note:


If Enable TPM during startup is set as ‘Required’ and the recovery information is generated, it is advised to save BitLocker info to Azure AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.
Select recovery information to be stored in Azure AD DS Select the value Store recovery passwords and key packages or Store recovery passwords only from the drop-down to configure the type of recovery information to be stored in Azure Active Directory Domain Services.
Disable BitLocker until fixed drive recovery information is stored in Azure AD DS Enable this option to prevent users from enabling BitLocker unless the computer backs up the fixed data drive recovery information to Azure Active Directory Domain Services.


Drive encryption recovery key for Windows 10 PC
Fixed drives require encryption Tick the box to make it mandatory to turn on encryption to write data to a fixed data drive.

Note:


If the drive is left unencrypted, the user will have read-only access to the drive.
Removable drives require encryption Check the box to make it mandatory to turn on encryption to write data to a removable data drive.

Note:


If the drive is left unencrypted, the user will have read-only access to the drive.

How to create a custom recovery message and URL for Bitlocker encrypted PCs?


  1. Log in to your Hexnode MDM portal > Admin > General Settings.
  2. Enter a Custom Message and URL under Windows Custom Recovery Message.
Note:


Not all characters and languages are supported in the pre-boot environment. So, verify the correct appearance of the characters that you use for the custom recovery message and URL on the pre-boot recovery screen.

How to check whether your device has a compatible TPM?

Method 1

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the TPM Management snap-in console.
  2. It will show whether your device has a compatible TPM or not.

Method 2

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the Device Manager.
  2. Check to see if you have Security devices listed. If yes, expand Security devices to see if you can see a TPM with its version number.

Method 3

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details.

Apply the BitLocker Configuration to target entities using Hexnode UEM

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK.
  3. Click on Save to apply the policies to the devices.
Note:


To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and taken to the page which displays the policy list,

  1. Select the required policy.
  2. Click on Manage > select Associate Targets.
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy. Click Associate.

Note:


Once the BitLocker policy is applied to your Windows PC, fixed data drives and removable data drives become write-protected (if the appropriate options are checked) until the BitLocker encryption is completed from the user end.

block disk write on system and removable data drives







Possible Group policy conflicts

  1. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required.
    Group policy conflict during encryption initiation
  2. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted.
  3. When OS drive is to be encrypted, if the device has no compatible TPM, “Allow BitLocker without a compatible TPM” should be checked.
    Trusted Platform Module compatibility issue
  4. You cannot create both a recovery key and a recovery password at the same time.
    Recovery password and key cannot be created together
  5. If one startup authentication method is required, the other method cannot be allowed. If you require the startup key, you must not allow the startup PIN and vice versa.
  6. If the Deny write access to removable drives not protected by BitLocker policy setting is enabled, the option to generate recovery key must be disallowed.
  7. Backup of BitLocker recovery information to AD DS must be enabled if both the recovery options are disallowed.
Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Managing Windows 10 Devices