Category filter

How to manage BitLocker?

BitLocker is Microsoft’s built-in full volume encryption tool for Windows PC that enforces encryption on OS drives, fixed data drives, and removable drives for data protection. BitLocker encryption helps prevent unauthorized access to data on lost or stolen devices by encrypting the entire Windows operating system volume on the hard disk and verifying the boot process integrity. When used in conjunction with TPM versions 1.2 and above, BitLocker can validate system files and boot activity. The Device encryption feature on Windows devices automatically activates the BitLocker on Windows 10 or later devices. This automatic activation occurs when a user signs in for the first time with a personal Microsoft account or a work/school account. The Device encryption feature itself serves as a mechanism that facilitates this process, ensuring BitLocker is automatically engaged upon login. This enhances data security without requiring the users to manually enable encryption. Hexnode UEM enables you to set up and manage BitLocker policy to help you configure encryption and recovery settings on Windows devices remotely.

Notes:

  • Supported on:
    • Windows 10 Pro, Enterprise, and Education editions.
    • Windows 11 Pro, Enterprise, and Education editions.
  • The TPM is a microchip added to the machine that runs an authentication check on the PC’s hardware, software, and firmware. However, BitLocker encryption is also possible on systems that do not have a TPM, but the user will be prompted to plug in the BitLocker USB key every time the system boots.
  • The BitLocker policy, when deployed, can only prompt the user to encrypt the device. To remotely encrypt the OS drives with the associated policy configuration, use the Force BitLocker Encryption action.

Configure BitLocker encryption with Hexnode UEM

  1. Log in to your Hexnode UEM portal. Navigate to the Policies tab. Click on New Policy to create a new one.
    (or)

    Click on any policy to edit an existing one. Enter the Policy Name and Description in the provided fields.
  2. Navigate to Windows > Select BitLocker under Security.
  3. Click on Configure.
  4. Configure BitLocker settings.
  5. Manage BitLocker encryption in Hexnode.

BitLocker Settings Description
Require encryption for OS and fixed data drives Tick this option to make it a compliance requirement to turn on encryption for writing data to OS and fixed drives.

If the drives are left unencrypted, the device is marked non-compliant in the Hexnode portal.

Note:


The BitLocker compliance check does not function for devices enrolled via Native Enrollment. So even if the OS and fixed drives are unencrypted, those devices won’t be marked as non-compliant in the portal.

Hide warning about existing third-party encryption Check this option to disable the BitLocker setup wizard warning and the prompt to confirm that no third-party encryption is present.
Escrow recovery password to Hexnode UEM Check this option to retrieve the BitLocker recovery password from the device and store it in the UEM console, under Manage > Device Summary > Hardware Info.
Note:


Deploying a BitLocker policy with this option enabled on a manually encrypted device will still escrow the recovery password to the UEM console.

Recovery Password rotation

Recovery Password rotation Configure this option to automatically rotate the recovery password for operating systems and fixed drives once it’s used to unlock the drive. This feature will only be effective if Active Directory backup for the recovery password is enforced.

For OS drive: Within the BitLocker policy, enable Do not enable BitLocker until recovery information is stored in AD DS in OS Drive Settings > Configure BitLocker OS drive policy > Configure recovery options.

Configure OS drives settings for the BitLocker policy.

For Fixed drive: Within the BitLocker policy, enable Do not enable BitLocker until recovery information is stored in AD DS in OS Drive Settings > Configure BitLocker fixed drive policy > Configure recovery options.

How to manage fixed drive settings for BitLocker encryption.

Configure Recovery Password rotation

Options to configure the settings for recovery password rotation in the BitLocker policy.

Notes:


Configuring the Recovery Password rotation option for devices not connected to Microsoft Entra ID will result in the failure of the BitLocker policy.

Settings Description
Not Configured The configuration will not take effect on the devices, and they will keep operating as per their default behavior.
Do not rotate Recovery Password Choosing this option will keep the recovery password unchanged for operating systems and fixed drives after it has been used to unlock the drive.
Rotate Recovery Password for Microsoft Entra joined devices Selecting this option will rotate the recovery password for devices enrolled via Microsoft Entra ID.
Rotate Recovery Password for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices Selecting this option will rotate the recovery password for devices enrolled through both Microsoft Entra ID and Microsoft Entra ID hybrid.

OS Drive Settings

Configure BitLocker OS drive policy Enable the option to configure the BitLocker OS drive settings.

Configure BitLocker OS drive policy

Options to configure the settings for OS drives in the BitLocker policy.

Settings Description
Configure encryption method Configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker for the operating system drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256.

BitLocker uses the default encryption method of XTS-AES 128-bit when this option is not configured.

Note:

  • Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.
  • If you have specified the encryption method for the OS drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.

Configure additional startup authentication settings Enable the option to configure whether BitLocker requires additional authentication at system startup to provide added protection for encrypted data.
Configure additional startup authentication settings
Settings Description
Allow BitLocker to be activated on devices without a compatible TPM Check whether your device has a compatible TPM (more info).

Tick this option to enable users to configure BitLocker on the device without a compatible TPM.

If the option is disabled and the device doesn’t contain a compatible TPM, encrypting the device using the ‘Force BitLocker Encryption’ remote action will fail.

Note:


For systems that do not have a TPM, either a fallback password or a startup key is required for startup. The startup key is stored on a USB flash drive.

Configure advanced authentication options for devices with compatible TPM Configure the additional authentication requirements, including the use of the Trusted Platform Module (TPM) or startup PIN requirements.
  • Allow options: The user can choose whether to configure additional authentication using the allowed options.
    1. TPM startup – BitLocker can use TPM, if present.
    2. Startup PIN – BitLocker uses the TPM, if present, and allows a 6- to 20-digit startup PIN to be configured by the user.
    3. Startup Key – BitLocker uses the TPM, if present, and allows a startup key (stored in an inserted USB drive) to be present to unlock the drives.

    The unchecked options are denied.

  • Required Options: The user is forced to set up the authentication method from the following options.
    1. TPM startup – BitLocker uses TPM, if present.
    2. Startup PIN – BitLocker uses the TPM, if present, and requires a startup PIN to be configured by the user.
    3. Startup Key – BitLocker uses the TPM, if present, and requires a startup key (stored in an inserted USB drive) to be used to unlock the drives.

    The unchecked options are denied.

Exception:


Microsoft Surface tablets do not support the use of the Startup PIN. So, when a policy is applied with Startup PIN enabled under Allow Options/Required Options, executing the Force BitLocker Encryption action will fail with the error message:

“No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. (Exception from HRESULT: 0x803100B5).”

Minimum PIN length Enter the minimum startup PIN length if TPM and PIN are required during BitLocker enablement.

You can set a value in the range 6 (default) – 20 digits.

Configure pre-boot recovery message and URL Check this option to configure a custom pre-boot recovery message and URL so as to guide users on how to find their recovery password. The recovery message and URL are visible to the user when they’re locked out of their PC in recovery mode.
Note:


Leaving both the Recovery message and Recovery URL fields blank will make the system use its default recovery message and URL.

Configure recovery options Enable this setting to configure additional options for the recovery of encrypted OS drives in the absence of the required startup key information.

Note:


If this option has not been enabled while deploying the policy and the end user is locked out of the device without the recovery information, there is no alternative to using the device again other than to wipe the drive and reinstall the OS.

Make sure you enable the Escrow recovery password to Hexnode UEM while configuring the BitLocker policy so that the recovery password can still be retrieved from the UEM console.

Configure recovery options
Settings Description
Users must generate a recovery key or password Specify whether the user is required to generate a 48-digit recovery password or insert a USB flash drive containing a 256-bit recovery key. The options include:
  • Only Recovery Key
  • Only Recovery Password
  • Both Recovery Key and Password
  • Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS) Configure this option to store the BitLocker recovery information on OS drives to Active Directory Domain Services. (This includes both Azure AD and on-premises AD. Depending on the connection, an appropriate directory will be used.)Available options include:
  • Password Only – Only the recovered password is stored in AD DS. The recovery key packages might not be accessible when needed.
  • Password and Key – Both the BitLocker recovery password and key package are stored in AD DS.
  • Disable – BitLocker recovery information is not backed up to AD DS.

Notes:
  • To see the BitLocker recovery information, administrative roles within Azure AD should have microsoft.directory/bitlockerKeys/key/read permission. For more information on which Azure AD roles have which permissions, see Azure AD role descriptions.
  • The BitLocker Recovery Password Viewer for Active Directory users and computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in the Active Directory.
  • If TPM startup is set as the required option under Configure advanced authentication options for devices with compatible TPM and the recovery information is generated, it is advised to save BitLocker info to AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.

Block certificate-based data recovery agent Check this option to block the ability to use Data Recovery Agent (DRA) to recover BitLocker-protected operating system drives.
Notes:
  • Data recovery agents are individuals who can use their credentials to unlock the drive.
  • The OS drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
  • To use DRA for BitLocker, it must be added from the Public Key Policies item to either the Group Policy Management Console or the Local Group Policy Editor.

Hide recovery options on the device Tick this option to prevent users from specifying extra recovery options such as printing recovery keys when they enable BitLocker on an OS drive through a setup wizard.
Do not enable BitLocker until recovery information is stored in AD DS Check this option to disable BitLocker unless the computer is connected to a domain and the backup of BitLocker recovery information to AD DS succeeds.

Fixed Drive Settings

Configure BitLocker fixed drive policy Enable this option to configure the BitLocker fixed drive settings.

Configure BitLocker fixed drive policy

Options to configure the settings for fixed drive in the BitLocker policy.

Settings Description
Configure encryption method Configure the algorithm and cipher strength used by BitLocker Drive Encryption for fixed drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256.

BitLocker uses the default encryption method of XTS-AES 128-bit when this option is not configured.

Note:

  • Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.
  • If you have specified the encryption method for a fixed drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.

Block access to drives not protected by BitLocker Deny write access to fixed drives that are not BitLocker-protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted.
Configure recovery options Check this option to recover the encrypted fixed drives in the absence of the required credentials.
Note:


If this option has not been enabled while deploying the policy and the end user is locked out of the device without the recovery information, there is no alternative to using the device again other than to wipe the drive and reinstall the OS.

Make sure you enable the Escrow recovery password to Hexnode UEM while configuring the BitLocker policy so that the recovery password can still be retrieved from the UEM console.

Configure recovery options
Settings Description
Users must generate a recovery key or password Specify whether users are required to generate a 48-digit recovery password or a 256-bit recovery key. The options include:
  • Only Recovery Key
  • Only Recovery Password
  • Both Recovery Key and Password
  • Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS) You may configure this option if you want to store the BitLocker recovery information on fixed data drives to Active Directory Domain Services. (This includes both Azure AD and on-premises AD. Depending on the connection, an appropriate directory will be used.)
Available options include:
  • Password Only – Only the recovered password is stored in AD DS. The recovery key packages might not be accessible when needed.
  • Password and Key – Both the BitLocker recovery password and key package are stored in AD DS.
  • Disable – BitLocker recovery information is not backed up to AD DS.

Notes:
  • To see the BitLocker recovery information, administrative roles within Azure AD should have microsoft.directory/bitlockerKeys/key/read permission. For more information on which Azure AD roles have which permissions, see Azure AD role descriptions.
  • If TPM startup is set as the required option under Configure advanced authentication options for devices with compatible TPM and the recovery information is generated, it is advised to save BitLocker info to AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.

Block certificate-based data recovery agent Check this option to block the ability to use Data Recovery Agent (DRA) to recover BitLocker-protected fixed drives.
Hide recovery options on the device Tick this option to prevent users from specifying extra recovery options such as printing recovery keys when they enable BitLocker on a fixed drive through a setup wizard.
Do not enable BitLocker until recovery information is stored in AD DS Check this option to disable BitLocker unless the computer is connected to a domain and the backup of BitLocker recovery information to AD DS succeeds.

Removable Drive Settings

Configure BitLocker removable drive policy Enable this option to configure the BitLocker removable drive settings.

Configure BitLocker removable drive policy

Options to configure the settings for removable drives in the BitLocker policy.

Settings Description
Configure encryption method Configure the algorithm and cipher strength used by BitLocker Drive Encryption for removable drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256.

BitLocker uses the default encryption method of AES CBC 128-bit when this option is not configured.

Note:

  • Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.
  • If you have specified the encryption method for a fixed drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.

Block access to drives not protected by BitLocker Deny write access to removable drives that are not protected by BitLocker. If an inserted removable drive is not encrypted, the user must complete the BitLocker setup wizard for the drive before write access is granted.

How to check whether your device has a compatible TPM?

Method 1

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the TPM Management snap-in console.
  2. It will show whether your device has a compatible TPM or not.

Method 2

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the Device Manager.
  2. Check to see if you have Security devices listed. If yes, expand Security devices to see if you can see a TPM with its version number.

Method 3

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details.

Apply the BitLocker configuration to target entities using Hexnode UEM

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on + Add Devices, search and select the required device(s) to which you need to apply the policy. Click OK.
  3. Click on Save to apply the policies to the devices.
Note:


To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and taken to the page which displays the policy list,

  1. Select the required policy.
  2. Click on Manage and select Associate Targets.
  3. Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy. Click Associate.
Note:

  • Applying the BitLocker policy to a device with Device encryption enabled will result in policy failure. For the successful application of the BitLocker policy, it is mandatory to manually decrypt the BitLocker beforehand. Users can verify whether the Device encryption feature is already enabled on their device by navigating to Settings > Privacy and security > Device encryption before applying the policy.
  • Once the BitLocker policy is applied to your Windows PC, fixed data drives and removable data drives become write-protected (if the appropriate options are checked) until the BitLocker encryption is completed from the user end.

block disk write on system and removable data drives

 

 

Possible group policy conflicts

  1. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required.
    Group policy conflict during encryption initiation
  2. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted.
  3. When the OS drive is to be encrypted, if the device has no compatible TPM, “Allow BitLocker without a compatible TPM” should be checked.
    Trusted Platform Module compatibility issue
  4. You cannot create both a recovery key and a recovery password at the same time.
    Recovery password and key cannot be created together
  5. If one startup authentication method is required, the other method cannot be allowed. If you require the startup key, you must not allow the startup PIN and vice versa.
  6. If the deny write access to removable drives not protected by the BitLocker policy setting is enabled, the option to generate a recovery key must be disallowed.
  7. Backup of BitLocker recovery information to AD DS must be enabled if both the recovery options are disallowed.
  • Managing Windows Devices