1. Home
  2. Windows
  3. How to Manage BitLocker with Hexnode MDM

How to Manage BitLocker with Hexnode MDM

BitLocker is Microsoft’s built-in full volume encryption tool for Windows PC that enforces encryption on system drives, fixed data drives, and removable drives for data protection. BitLocker helps prevent unauthorized access to data on lost or stolen devices by encrypting the entire Windows operating system volume on the hard disk and verifying the boot process integrity. When used in conjunction with TPM versions 1.2 and above, BitLocker can validate system files and boot activity. Hexnode MDM enables you to set up BitLocker that helps you configure encryption settings for the operating system, fixed data drives, and removable data drives on Windows 10 PC.

Notes

  • Supported on Windows 10 Pro (v1809+), Enterprise and Education editions.
  • The TPM is a microchip added to the machine that runs an authentication check on PC’s hardware, software, and firmware. However, BitLocker encryption is also possible on systems that do not have a TPM, but the user will be prompted to plug in the BitLocker USB key every time the system boots.

Configure BitLocker encryption with Hexnode MDM

  1. Login to your Hexnode MDM portal > Navigate to Policies tab > Click on New Policy to create a new one or click on any policy to edit an existing one > Enter the Policy Name and Description in the provided fields.
  2. Navigate to Windows > Select BitLocker under Security > Click on Configure
  3. Configure BitLocker settings.
BitLocker Settings Description
Prompt to encrypt storage card Enable the option Prompt to encrypt storage card to prompt users to enable storage card encryption on the device.

Note


Supported only on Windows 10 Mobile and Mobile Enterprise editions.

Prompt for device encryption Enable the option Prompt for device encryption to prompt users to encrypt the OS drive.

Note


You cannot revert the action once encrypted.

Configure encryption methods for disk drives Select the option Enable/ Disable to configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker.

BitLocker uses the default encryption method of AES CBC 128-bit when this option is either Disabled or not configured.

Note


Changing the encryption method has no effect, if the drive is already encrypted, or if encryption is in progress.

Configure encryption methods for disk drives

Settings Description
Encryption method for operating system drive Select the encryption method for system drives from AES CBC 128, AES CBC 256, XTS-AES 128, XTS-AES 256 (Default).

Note


XTS-AES algorithm is a new disk encryption mode introduced in Windows10 and is recommended for an operating system drive.

Encryption method for fixed data drives Select the encryption method for fixed drives from AES CBC 128, AES CBC 256, XTS-AES 128, XTS-AES 256 (Default).

Note


XTS-AES algorithm encryption method is considered the best for fixed drives.

Encryption method for removable drives Select the encryption method for removable drives from AES CBC 128, AES CBC 256(Default), XTS-AES 128, XTS-AES 256 .

Note


For removable drives, you should use AES CBC 128 or AES CBC 256 if the drive will be used in other devices that are not running Windows 10, version 1511 or later.

Configure authentication when the computer starts up Select the option Enable/ Disable to configure whether authentication is required each time the computer starts.

This option is set to Select default value when it is either Disabled or not configured.

Configure authentication when the computer starts up

Settings Description
Allow BitLocker without a Trusted Platform Module (TPM) Check whether your device has a compatible TPM (more info).

Select the option Allow to enable users to use BitLocker for devices without a compatible TPM.

This option is set to Select default value when it is either Disallowed or not configured.

Note


For systems that do not have a TPM, a startup key is required. Startup key is stored in a USB flash drive.

Authenticate with TPM startup key Select the option Required/ Optional to configure authentication with TPM startup key.

By default, authentication with TPM startup key is set to Disallow.

Authenticate with TPM startup PIN Select the option Required/ Optional to configure authentication with TPM startup PIN.

By default, authentication with TPM startup PIN is set to Disallow.

Authenticate with TPM startup key and PIN Select the option Required/ Optional to configure authentication with both TPM startup key and PIN.

By default, authentication with TPM startup key and PIN is set to Disallow.

Enable TPM during startup Choose whether TPM chip is Required/ Optional during startup.

By default, the option is set to Disallow.

Minimum length for BitLocker startup PIN Enter the minimum length for the BitLocker startup PIN.

You can set a value in the range 6 (default) – 20.

Configure pre-boot recovery message Choose either the option Show default recovery message or URL or Show custom recovery message (more info ) and URL to configure a recovery message and URL on the pre-boot recovery screen to assist customers in recovering their key.

Choose the option Do not show any message or URL if you do not want to set up a pre-boot recovery message.

This option is set to Select default value when it is not configured.

Note


On choosing the option Show default recovery message and URL, the following message and URL will be displayed on the pre-boot recovery screen:
Enter the recovery key for this drive.

For more information on how to retrieve this key:
https://support.microsoft.com/en-gb/help/4026181/windows-10-find-my-bitlocker-recovery-key

Configure recovery options for system drives Enable the option Configure recovery options for system drives to recover the encrypted system drives in the absence of the required startup key information.
Configure recovery options for system drives

Settings Description
Use data recovery agents with BitLocker-enabled OS drive Select the option Use data recovery agents with BitLocker-enabled OS drive to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected operating system drives.

Note

  • Data recovery agents are individuals who can use their credentials to unlock the drive.
  • The OS drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
  • To use DRA for BitLocker, it must be added from the Public Key Policies item to either the Group Policy Management Console or the Local Group Policy Editor.

Generate recovery password Select the option Generate recovery password to enable users to generate a 48-digit recovery password.
Generate recovery key Select the option Generate recovery key so that the system will generate a 256-bit recovery key and is stored in an external USB device.
Hide recovery options from BitLocker setup wizard Select the option Hide recovery options from BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive through a setup wizard.
Save BitLocker info on OS drives to Azure AD DS Select the option Save BitLocker info on OS drives to Azure AD DS to store the BitLocker recovery information on OS drives to Azure Active Directory Domain Services.

Note


The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in the Active Directory.

Select recovery information to be stored in Azure AD DS Select the option Store recovery passwords and key packages or Store recovery passwords only to configure the type of recovery information to be stored in Azure AD DS.

Note


Key packages are secured by one or more recovery passwords, and it can help perform specialized recovery even when the disk is damaged or corrupted.
The key packages cannot be used without the corresponding recovery password.

Disable BitLocker until OS drive recovery information is stored in Azure AD DS Select the option Disable BitLocker until OS drive recovery information is stored in Azure AD DS to disable BitLocker until recovery information is stored to Azure AD DS.

Configure recovery options for fixed drives Enable Configure recovery options for fixed drives to recover the encrypted fixed drives in the absence of required credentials.
Configure recovery options for fixed drives
Settings Description
Use data recovery agents with BitLocker-protected fixed data drive Select the option Use data recovery agents with BitLocker-protected fixed data drive to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected fixed drives.
Generate recovery password Select the option Generate recovery password to enable users to generate a 48-digit recovery password.
Generate recovery key Select the option Generate recovery key so that the system will generate a 256-bit recovery key and is stored in an external USB device.
Show recovery options in BitLocker setup wizard Select the option Show recovery options from BitLocker setup wizard to show fixed drives recovery options on the setup wizard.
Save BitLocker info on fixed data drives to Azure AD DS Select the option Save BitLocker info on fixed drives to Azure AD DS to store the BitLocker recovery information on fixed data drives to Azure Active Directory Domain Services.
Select recovery information to be stored in Azure AD DS Select the option Store recovery passwords and key packages or Store recovery passwords only to configure the type of recovery information to be stored in Azure Active Directory Domain Services.
Disable BitLocker until fixed drive recovery information is stored in Azure AD DS Select the option Disable BitLocker until fixed drive recovery information is stored in Azure AD DS to prevent users from enabling BitLocker unless the computer backs up the fixed data drive recovery information to Azure Active Directory Domain Services.


Fixed drives require encryption Enable the option Fixed drives require encryption to make it mandatory to turn on encryption to write data to a fixed data drive.

Note


If the drive is left unencrypted, the user will have read-only access to the drive.

Removable drives require encryption Enable the option Removable drives require encryption to make it mandatory to turn on encryption to write data to a removable data drive.

Note


If the drive is left unencrypted, the user will have read-only access to the drive.

How to create a custom recovery message and URL?

  1. Login to your Hexnode MDM portal > Admin > General Settings.
  2. Enter a Custom Message and URL under Windows Custom Recovery Message.
Note


Not all characters and languages are supported in the pre-boot environment. So, verify the correct appearance of the characters that you use for the custom recovery message and URL on the pre-boot recovery screen.

How to check whether your device has a compatible TPM?

Method 1

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the TPM Management snap-in console.
  2. It will show whether your device has a compatible TPM or not.

Method 2

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the Device Manager.
  2. Check to see if you have Security devices listed. If yes, expand Security devices to see if you can see a TPM with its version number.

Method 3

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details.

Apply the BitLocker Configuration to Devices/Groups

There are two ways by which you can associate restrictions to the devices in bulk.

Method 1

If you haven’t saved the policy yet,

  1. Navigate to Policy Targets
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy > Click OK
  3. Click on Save to apply the policies to the devices.
Note


To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

Method 2

If you’ve already saved the policy and taken to the page which displays the policy list,

  1. Select the required policy
  2. Click on Manage > select Associate Targets
  3. Select Device/ User/ Device Group/ User Group/ Domain
  4. Search and select the device(s)/ user(s)/ device group(s)/ user group(s)/ domain(s) to which you need to apply the policy > Click Associate.

Note


Once the BitLocker policy is applied to your Windows PC, fixed data drives and removable data drives become write-protected (if the appropriate options are checked) until the BitLocker encryption is completed from the user end.





Possible Group policy conflicts

  1. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required.
  2. toring recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted.
  3. When OS drive is to be encrypted, if the device has no compatible TPM, “Allow BitLocker without a compatible TPM” should be checked.
  4. You cannot create both a recovery key and a recovery password at the same time.
  5. If one startup authentication method is required, the other method cannot be allowed. If you require the startup key, you must not allow the startup PIN and vice versa.
  6. If the Deny write access to removable drives not protected by BitLocker policy setting is enabled, the option to generate recovery key must be disallowed.
  7. Backup of BitLocker recovery information to AD DS must be enabled if both the recovery options are disallowed.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment