1. Home
  2. Windows
  3. How to Manage BitLocker with Hexnode MDM

How to Manage BitLocker with Hexnode MDM

BitLocker is Microsoft’s built-in full volume encryption tool for Windows PC that enforces encryption on system drives, fixed data drives and removable drives for data protection. BitLocker helps prevent unauthorized access to data on lost or stolen devices by encrypting the entire Windows operating system volume on the hard disk and verifying the boot process integrity. When used in conjunction with TPM versions 1.2 and above, BitLocker could validate system files and boot activity. We can manage BitLocker with Hexnode MDM using the BitLocker policy and configure encryption settings for the operating system, fixed data drives and removable data drives on Windows 10 PC.

Notes:

  • Supported on Windows 10 Pro (v1809+), Enterprise and Education editions.
  • The TPM is a microchip added to the machine that runs an authentication check on PC’s hardware, software and firmware. However, BitLocker encryption is also possible on systems that do not have a TPM, but the user will be prompted to plug in the BitLocker USB key every time the system boots.

To configure BitLocker encryption with Hexnode MDM

  1. Navigate to Policies tab > New Policy > Name the Policy.
  2. Click on BitLocker under Windows Settings > Configure.


 
BitLocker Configuration

BitLocker Settings Description
Prompt to encrypt storage card When checked users will be prompted to enable storage card encryption on the device (only for Windows 10 Mobile and Mobile Enterprise editions).
Prompt for device encryption When enabled users will be prompted to encrypt the OS drive. Note that you cannot revert the action once encrypted.
Configure encryption methods for disk drives Configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker. Select enable to configure. When this policy setting is disabled or not configured, BitLocker will use the default encryption method of AES CBC 128-bit.
Configure authentication when the computer starts up Allows admin to configure whether authentication is required each time the computer starts. Select enable to configure.
Minimum length for BitLocker startup PIN Configure a minimum length for BitLocker startup PIN. PIN length can be from 6 – 20.
Configure pre-boot recovery message and URL Configure to enable a recovery message and URL on the pre-boot recovery screen to assist customers in recovering their key. Choose from select default value, do not show any message or URL, show default recovery message and URL, show custom recovery message (more info) and URL. If the Option “Show default recovery message and URL” is selected, the following message and URL will be displayed on the pre-boot recovery screen:
Enter the recovery key for this drive.
For more information on how to retrieve this key go to: https://support.microsoft.com/en-gb/help/4026181/windows-10-find-my-bitlocker-recovery-key
Configure recovery options for system drives Select whether to enable recovery of encrypted system drives in the absence of required credentials.
Configure recovery options for fixed drives Select whether to enable recovery of encrypted fixed drives in the absence of required credentials.
Fixed drive require encryption When enabled encryption must be turned on to write data to a fixed drive. If the drive is left decrypted the user will have read-only access to the drive.
Removable drive require encryption When checked encryption is required for removable drives for enabling users to write data to it.

manage bitlocker

How to create a custom recovery message and URL?

  1. Go to Admin tab > General Settings.
  2. Enter a custom pre-boot recovery message and URL under Windows Custom Recovery Message.
Notes:

  • Not all characters and languages are supported in the pre-boot environment. So, verify the correct appearance of the characters that you use for the custom recovery message and URL on the pre-boot recovery screen.

Configure encryption methods for disk drives

Configuring encryption method for disk drives

Settings Description
Encryption method for operating system drive Select the encryption method for system drives. XTS-AES algorithm is recommended for operating system drives.
Encryption method for fixed data drives Select the encryption method for fixed drives. XTS-AES is a new disk encryption mode introduced in Windows10 and is best for fixed drives.
Encryption method for removable drives Select the encryption method for removable drives. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later.

Configure authentication when the computer starts up

Configuring authentication when the computer starts up

Settings Description
Allow BitLocker without a TPM Check whether your device has a compatible TPM (more info). If Allow option is selected users can use BitLocker for devices without a compatible TPM. For systems that do not have a TPM, a startup key is required. Startup key is stored in a USB flash drive.
Authenticate with TPM start up key Configure TPM startup key for devices with TPM.
Authenticate with TPM start up PIN When the device starts up it requires the entry of a 6-20digit Personal Identification Number which is configured by the user during BitLocker set up.
Authenticate with TPM start up key and PIN Both start up key and PIN can be allowed. Required by default if the system has no TPM.
Enable TPM during start up Choose whether TPM chip is required, optional or to disallow during start up.

How to check whether your device has a compatible TPM?

Method–1

  1. Press Win+R and open Run > Type tpm.msc > Click OK to open the TPM Management snap-in console.
  2. It will show whether your device is having a compatible TPM or not.

Method-2

  1. Press Win+R and open Run > Type devmgmt.msc > Click OK to open the Device Manager.
  2. Check to see if you have Security devices listed. If yes, expand Security devices to see if you can see a TPM with its version number.

Method–3

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details.

Configure recovery options for system drives

Configuring recovery options for system drives

Settings Description
Use data recovery agents with BitLocker-enabled OS drive Select this option to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected operating system drives. Data recovery agents are individuals who can use their credentials to unlock the drive. The OS drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. To use DRA for BitLocker, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor.
Generate recovery password Choose whether to allow user to generate a 48-digit recovery password.
Generate recovery key If checked a 256-bit recovery key is created by the system and is stored in an external USB device.
Hide recovery options from BitLocker setup wizard Check to omit operating system drives recovery options from setup wizard so that users can’t make any changes.
Save BitLocker info. on OS drives to Azure AD DS Check to save BitLocker information to Azure Active Directory Domain Services. The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
Select recovery information to be stored in Azure AD DS Select either store recovery passwords and key packages or store recovery password only.Key package is secured by one or more recovery passwords, and it can help perform specialized recovery even when the disk is damaged or corrupted. The key package cannot be used without the corresponding recovery password.
Disable BitLocker until OS drive recovery info is stored in Azure AD DS Check this option to disable BitLocker until recovery information is stored to Azure AD DS.

Configure recovery options for fixed drives

Configuring recovery options for fixed drives

Settings Description
Use data recovery agents with BitLocker-enabled fixed drive Select this option to enable a Data Recovery Agent (DRA) to be used with BitLocker-protected fixed drives.
Generate recovery password Choose whether to allow user to generate a 48-digit recovery password.
Generate recovery key If checked a 256-bit recovery key is created by the system and is stored in an external USB device.
Show recovery options from BitLocker setup wizard Check to show fixed drives recovery options on setup wizard.
Save bitlocker info. on fixed drives to Azure AD DS Check to save BitLocker information to Azure Active Directory Domain Services.
Select recovery information to be stored in Azure AD DS Select either store recovery passwords and key packages or store recovery password only.
Disable BitLocker until fixed drive recovery info is stored in Azure AD DS Check this option to disable BitLocker until recovery information is stored to Azure AD DS.

Manage BitLocker with Hexnode MDM

How to associate the policy to a device?

If the policy is not saved

  1. Go to Policy Targets > Click on Add Devices.
  2. Select the device to which the policy is to be associated > Click OK.
  3. Save the policy.

If the policy is already saved

  1. Check the required Policy from the Policies tab.
  2. Click on Manage > Associate Targets.
  3. Select the device > Associate.
Notes:

  • Once the policy is applied fixed data drives and removable drives become write-protected (if the relevant options are checked) until BitLocker encryption is completed from the user end.


manage bitlocker



Possible Group policy conflicts:

  1. When write access to drives not protected by BitLocker is denied, use of a USB start-up key or USB start-up key and PIN cannot be required.
    manage bitlocker
  2. Storing recovery info. to ADDS cannot be required when the generation of recovery password is not permitted.
  3. When OS drive is to be encrypted, if the device has no compatible TPM, “Allow BitLocker without a compatible TPM” should be checked.
    manage bitlocker
  4. Cannot create both a recovery key and recovery password at the same time.
    manage bitlocker
  5. If one start-up authentication method is required, the other method cannot be allowed. If you require the startup key, you must not allow the startup PIN and vice versa.
  6. If the Deny write access to removable drives not protected by BitLocker policy setting is enabled, the option to generate recovery key must be disallowed.
  7. Backup of BitLocker recovery information to AD DS must be enabled if both the recovery options are disallowed.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment