Category filter

How to force BitLocker encryption on Windows with Hexnode UEM?

BitLocker is Microsoft’s native device encryption software, developed to protect data by enforcing encryption of OS drives, fixed data drives, and removable drives on Windows devices. With Hexnode’s BitLocker encryption policy, administrators can configure encryption and recovery settings for the devices. However, the policy only prompts the user to encrypt the device. By executing the Force BitLocker Encryption action, admins can encrypt the OS drive with a PIN or password remotely, ensuring the system drive is safe and secure.


It is recommended to deploy the BitLocker encryption policy before executing this action to ensure encryption with preferred configurations.

Force BitLocker Encryption on OS drive

You can follow the steps given below to force encrypt the OS drive on the Windows device.

  1. From your Hexnode portal, navigate to the Manage tab and select your device.
  2. Click on Actions > Force BitLocker Encryption.
  3. You can choose whether to encrypt the entire drive or just the used space.
    • Encrypt used disk space: This option is recommended when setting up BitLocker on a new drive or new PC, as this encrypts the part of the drive currently being used. BitLocker will encrypt any new data automatically added thereafter.
    • Encrypt entire drive: This option is recommended when setting up BitLocker on a drive that is already in use, as encrypting the entire drive ensures that all data is protected, i.e., even the data that has been deleted. This offers more security as the drive might hold info that can be used to retrieve the deleted data using third-party tools.
  4. TPM Startup PIN: Provide a PIN to be used to unlock the drive every time the system is rebooted. You must provide a 6-20 digit PIN as per the Minimum PIN length set in the BitLocker policy.
  5. Notes:

    • Startup PIN must be selected in the BitLocker policy under OS Drive Settings > Configure additional startup authentication settings > Allow Options/Required Options for the PIN to be set.
    • In case a BitLocker policy is not set, the device must be configured manually to allow/require a startup PIN. To configure, follow the given steps:
      1. Click Windows+R on the Windows device to launch Run command window.
      2. Type gpedit.msc and click on OK.
      3. In the Local Group Policy Editor window, navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Device Encryption > Operating System Drives.
      4. Click and open “Require additional authentication at startup”.
      5. Click on Enabled.
      6. From the provided options, ensure that “Configure TPM startup PIN:”, is set to either “Allow startup PIN with TPM” or “Require startup PIN with TPM”.
      7. Click on OK.

  6. Fallback Password: Provide a password to be used to unlock the drive on devices that do not have a supported TPM. In such cases, the drive will be encrypted with the Fallback Password instead of the TPM Startup PIN. You must provide a password with at least 8 characters to proceed with the action.
  7. Mandate and escrow a recovery password: Check this option to ensure that a recovery password is generated and escrowed to your portal. The recovery password can then be viewed on the portal under the details for the encrypted system drive at Device Summary > Hardware Info tab for the device.

    If unchecked, the device may not generate a recovery password. In such a case, the BitLocker recovery may fail if the PIN or password is lost. It is recommended to uncheck this option only if the recovery password/key can be manually obtained from the device.

    Check escrowed Recovery Password on the portal
  8. Click on Proceed.


  • To execute the action, please ensure the following while configuring the policy.
    • The Startup key must not be set under “Required Options” for the additional startup authentication settings in the BitLocker policy
    • The recovery key must not be set as a required option for the recovery options in the BitLocker encryption policy.
  • Please save the provided TPM Startup PIN and Fallback Password for unlocking the device. Hexnode UEM can only retrieve the recovery password that can be used to recover the device if the PIN or password is lost.

What happens at the device end?

BitLocker is enabled for the OS drive on the device based on the configurations set in the BitLocker policy. If no BitLocker policy is associated with the device, the drive is encrypted using the device’s default BitLocker configurations. The user can check the same on the device by navigating to Control Panel > System and Security > BitLocker Drive Encryption.

Check encryption statues of the OS drive on the device
  • Remote Actions