Category filter
Sample configurations for Windows Bitlocker policy
With Hexnode UEM, you can set up a BitLocker policy on devices running Windows 10/11 Pro, Enterprise, and Education editions to configure encryption and recovery settings. This document equips Windows admins with a collection of sample policy configurations that they may use for managing BitLocker from the UEM console, like in instances where silently encrypting devices without the use of the Force BitLocker Encryption action, encrypting devices without TPM or ADDS, or encrypting devices while storing recovery information in ADDS is preferred.
1. Enable BitLocker automatically without user interaction on devices with TPM
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable |
| Hide warning about existing third-party encryption | Enable |
| Allow Options
[Configure BitLocker OS drive policy > Configure additional startup authentication settings > Configure advanced authentication options for devices with compatible TPM] |
TPM startup |
| Users must generate a recovery key or password
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Only Recovery Password’ or ‘Recovery Key, Password or both’ |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Password Only’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable |
2. BitLocker configuration for devices without TPM or Azure ADDS
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable |
| Escrow recovery password to Hexnode UEM | Enable |
| Allow BitLocker to be activated on devices without a compatible TPM
[Configure BitLocker OS drive policy > Configure additional startup authentication settings] |
Enable |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Disable |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Configure this as ‘Disable’ |
|
Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Disable |
3. BitLocker configuration for devices utilizing Azure ADDS
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enable |
| Escrow recovery password to Hexnode UEM | Enable |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker OS drive policy > Configure recovery options] |
Configure this as ‘Password Only’ or ‘Password and Key’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker OS drive policy > Configure recovery options] |
Enable |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS)
[Configure BitLocker fixed drive policy > Configure recovery options] |
Configure this as ‘Password Only’ or ‘Password and Key’ |
| Do not enable BitLocker until recovery information is stored in AD DS
[Configure BitLocker fixed drive policy > Configure recovery options] |
Enable |
It is not mandatory for you to setup AD DS-related settings under the BitLocker policy for AD-joined devices unless you want to store recovery information in the Azure ADDS.
