Category filter
Sample configurations for Windows Bitlocker policy
With Hexnode UEM, you can set up a BitLocker policy on devices running Windows 10/11 Pro, Enterprise, and Education editions to configure encryption and recovery settings. This document equips Windows admins with a collection of sample policy configurations that they may use for managing BitLocker from the UEM console, like in instances where silently encrypting devices without the use of the Force BitLocker Encryption action, encrypting devices without TPM or ADDS, or encrypting devices while storing recovery information in ADDS is preferred.
1. Enable BitLocker automatically without user interaction on devices with TPM
Windows devices that have a compatible TPM and are Azure AD-joined can be silently encrypted without the use of the Force BitLocker Encryption action by configuring the below-specified list of settings:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Hide warning about existing third-party encryption | Enable this option |
| Allow Options
[Configure BitLocker OS drive policy > Configure additional startup authentication settings > Configure advanced authentication options for devices with compatible TPM] |
Enable the option ‘TPM startup’ |
| Users must generate a recovery key or password
[Configure BitLocker OS drive policy > Configure recovery options] |
Choose either of the following:
|
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Password Only’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable this option |
2. BitLocker configuration for devices without TPM or Azure ADDS
Here is a list of settings that should be configured in the specified manner to manage BitLocker for Windows devices that neither have a compatible TPM nor are joined to Azure ADDS:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Escrow recovery password to Hexnode UEM | Enable this option |
| Allow BitLocker to be activated on devices without a compatible TPM
[Configure BitLocker OS drive policy > Configure additional startup authentication settings] |
Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Disable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
|
Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Disable this option |
3. BitLocker configuration for devices utilizing Azure ADDS
Configure the following settings if you want to set up a BitLocker policy for Windows devices that are utilizing Azure ADDS:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Escrow recovery password to Hexnode UEM | Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Choose either of the following:
|
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Choose either of the following:
|
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Enable this option |
It is not mandatory for you to setup AD DS-related settings under the BitLocker policy for AD-joined devices unless you want to store recovery information in the Azure ADDS.
Frequently Asked Questions
1. What is the primary difference between a BitLocker policy and the “Force BitLocker Encryption” remote action?
A BitLocker policy defines the organizational security standards and prompts the user to initiate encryption. Conversely, the Force BitLocker Encryption action allows the admin to mandate encryption with a specific PIN or password remotely, often requiring no user interaction if correctly configured.
2. How does the admin verify if a device possesses a compatible TPM before applying a policy?
The admin can check the hardware status within the device summary in the portal or instruct a local technician to run tpm.msc or Get-Tpm via PowerShell on the endpoint to confirm the TPM version (1.2 or 2.0) and readiness state.
3. Does enabling the “Force all traffic through the VPN” option in VPN policy impact BitLocker recovery?
No. BitLocker encryption and recovery mechanisms operate at the disk and pre-boot levels, respectively, and are independent of OS-level VPN routing configurations.
Troubleshooting
1. Issue: The BitLocker policy status remains in a “Pending” state.
Probable Cause:
The Hexnode Agent app is inactive on the device, or the device is unable to establish a stable communication channel with the UEM server.
Solution:
The admin should initiate a manual Sync from the Hexnode UEM app on the device or check the device’s internet connectivity and power status.
