Category filter
Sample configurations for Windows Bitlocker policy
With Hexnode UEM, you can set up a BitLocker policy on devices running Windows 10/11 Pro, Enterprise, and Education editions to configure encryption and recovery settings. This document equips Windows admins with a collection of sample policy configurations that they may use for managing BitLocker from the UEM console, like in instances where silently encrypting devices without the use of the Force BitLocker Encryption action, encrypting devices without TPM or ADDS, or encrypting devices while storing recovery information in ADDS is preferred.
1. Enable BitLocker automatically without user interaction on devices with TPM
Windows devices that have a compatible TPM and are Azure AD-joined can be silently encrypted without the use of the Force BitLocker Encryption action by configuring the below-specified list of settings:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Hide warning about existing third-party encryption | Enable this option |
| Allow Options
[Configure BitLocker OS drive policy > Configure additional startup authentication settings > Configure advanced authentication options for devices with compatible TPM] |
Enable the option ‘TPM startup’ |
| Users must generate a recovery key or password
[Configure BitLocker OS drive policy > Configure recovery options] |
Choose either of the following:
|
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Password Only’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable this option |
2. BitLocker configuration for devices without TPM or Azure ADDS
Here is a list of settings that should be configured in the specified manner to manage BitLocker for Windows devices that neither have a compatible TPM nor are joined to Azure ADDS:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Escrow recovery password to Hexnode UEM | Enable this option |
| Allow BitLocker to be activated on devices without a compatible TPM
[Configure BitLocker OS drive policy > Configure additional startup authentication settings] |
Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Disable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
|
Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Disable this option |
3. BitLocker configuration for devices utilizing Azure ADDS
Configure the following settings if you want to set up a BitLocker policy for Windows devices that are utilizing Azure ADDS:
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable this option |
| Escrow recovery password to Hexnode UEM | Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Choose either of the following:
|
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable this option |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Choose either of the following:
|
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Enable this option |
It is not mandatory for you to setup AD DS-related settings under the BitLocker policy for AD-joined devices unless you want to store recovery information in the Azure ADDS.
