Category filter

How to manage BitLocker?

BitLocker is Microsoft’s built-in full volume encryption tool for Windows PC that enforces encryption on OS drives, fixed data drives, and removable drives for data protection. BitLocker encryption helps prevent unauthorized access to data on lost or stolen devices by encrypting the entire Windows operating system volume on the hard disk and verifying the boot process integrity. When used in conjunction with TPM versions 1.2 and above, BitLocker can validate system files and boot activity. The Device encryption feature on Windows devices automatically activates the BitLocker on Windows 10 or later devices. This automatic activation occurs when a user signs in for the first time with a personal Microsoft account or a work/school account. The Device encryption feature itself serves as a mechanism that facilitates this process, ensuring BitLocker is automatically engaged upon login. This enhances data security without requiring the users to manually enable encryption. Hexnode UEM enables you to set up and manage BitLocker policy to help you configure encryption and recovery settings on Windows devices remotely.

Notes:

Supported on:
- Windows 10 Pro, Enterprise, and Education editions.
- Windows 11 Pro, Enterprise, and Education editions.
The TPM is a microchip added to the machine that runs an authentication check on the PC’s hardware, software, and firmware. However, BitLocker encryption is also possible on systems that do not have a TPM, but the user will be prompted to plug in the BitLocker USB key every time the system boots.
The BitLocker policy, when deployed, can only prompt the user to encrypt the device. To remotely encrypt the OS drives with the associated policy configuration, use the Force BitLocker Encryption action.

Configure BitLocker encryption with Hexnode UEM

Log in to your Hexnode UEM portal. Navigate to the Policies tab. Click on New Policy to create a new one.
(or)
Click on any policy to edit an existing one. Enter the Policy Name and Description in the provided fields.
Navigate to Windows > Select BitLocker under Security.
Click on Configure.
Configure BitLocker settings.

BitLocker Settings	Description
Require encryption for OS and fixed data drives	Tick this option to make it a compliance requirement to turn on encryption for writing data to OS and fixed drives. If the drives are left unencrypted, the device is marked non-compliant in the Hexnode portal. Note: The BitLocker compliance check does not function for devices enrolled via Native Enrollment. So even if the OS and fixed drives are unencrypted, those devices won’t be marked as non-compliant in the portal. If drive decryption on a Windows device is incomplete or in progress, enabling this option and applying the BitLocker policy will cause the BitLocker encryption to fail. To ensure the BitLocker policy is successful, re-apply the policy once decryption is complete.
Hide warning about existing third-party encryption	Check this option to disable the BitLocker setup wizard warning and the prompt to confirm that no third-party encryption is present. Note: This option is only applicable to devices running Windows 10 and later. When this option is enabled, along with the “Require encryption for OS and fixed data drives” option, BitLocker will be enabled silently under the following circumstances: The OS drive’s recovery key will be backed up to the user’s Microsoft Entra account (if logged in on the device). Without a Microsoft Entra account on the device, the user will receive a prompt to select where to back up the OS drive’s recovery key. To back up fixed data drives silently, the Windows devices need to be linked to either an Active Directory (AD), Microsoft Entra, or a personal OneDrive account. The backup destination for fixed data drives is prioritized in the following order: The user’s Windows Server Active Directory Domain Services account. The user’s Microsoft Entra account. The user’s personal OneDrive (MDM/MAM only). BitLocker encryption will defer until one of these three locations backs up successfully.
Escrow recovery password to Hexnode UEM	Check this option to retrieve the BitLocker recovery password from the device and store it in the UEM console, under Manage > Device Summary > Hardware Info. Note: Deploying a BitLocker policy with this option enabled on a manually encrypted device will still escrow the recovery password to the UEM console.

Recovery Password rotation

Configure this option to automatically rotate the recovery password for operating systems and fixed drives once it’s used to unlock the drive. This feature will only be effective if Active Directory backup for the recovery password is enforced.

For OS drive: Within the BitLocker policy, enable Do not enable BitLocker until recovery information is stored in AD DS in OS Drive Settings > Configure BitLocker OS drive policy > Configure recovery options.

For Fixed drive: Within the BitLocker policy, enable Do not enable BitLocker until recovery information is stored in AD DS in OS Drive Settings > Configure BitLocker fixed drive policy > Configure recovery options.

Configure Recovery Password rotation

Notes:

Configuring the Recovery Password rotation option for devices not connected to Microsoft Entra ID will result in the failure of the BitLocker policy.

Settings	Description
Not Configured	The configuration will not take effect on the devices, and they will keep operating as per their default behavior.
Do not rotate Recovery Password	Choosing this option will keep the recovery password unchanged for operating systems and fixed drives after it has been used to unlock the drive.
Rotate Recovery Password for Microsoft Entra joined devices	Selecting this option will rotate the recovery password for devices enrolled via Microsoft Entra ID.
Rotate Recovery Password for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices	Selecting this option will rotate the recovery password for devices enrolled through both Microsoft Entra ID and Microsoft Entra ID hybrid.

OS Drive Settings

Configure BitLocker OS drive policy

Enable the option to configure the BitLocker OS drive settings.

Configure BitLocker OS drive policy

Settings	Description
Configure encryption method	Configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker for the operating system drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256. BitLocker uses the default encryption method of XTS-AES 128-bit when this option is not configured. Note: Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. If you have specified the encryption method for the OS drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.
Configure additional startup authentication settings	Enable the option to configure whether BitLocker requires additional authentication at system startup to provide added protection for encrypted data.

Settings

Description

Configure encryption method

Configure the encryption method (XTS-AES or AES CBC) and cipher strength (128 bit or 256 bit) used by BitLocker for the operating system drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256.

BitLocker uses the default encryption method of XTS-AES 128-bit when this option is not configured.

Note:

Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.
If you have specified the encryption method for the OS drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.

Configure additional startup authentication settings

Enable the option to configure whether BitLocker requires additional authentication at system startup to provide added protection for encrypted data.

Configure additional startup authentication settings

Settings	Description
Allow BitLocker to be activated on devices without a compatible TPM	Check whether your device has a compatible TPM (more info). Tick this option to enable users to configure BitLocker on the device without a compatible TPM. If the option is disabled and the device doesn’t contain a compatible TPM, encrypting the device using the ‘Force BitLocker Encryption’ remote action will fail. Note: For systems that do not have a TPM, either a fallback password or a startup key is required for startup. The startup key is stored on a USB flash drive.
Configure advanced authentication options for devices with compatible TPM	Configure the additional authentication requirements, including the use of the Trusted Platform Module (TPM) or startup PIN requirements. Allow options: The user can choose whether to configure additional authentication using the allowed options. TPM startup – BitLocker can use TPM, if present. Startup PIN – BitLocker uses the TPM, if present, and allows a 6- to 20-digit startup PIN to be configured by the user. Startup Key – BitLocker uses the TPM, if present, and allows a startup key (stored in an inserted USB drive) to be present to unlock the drives. The unchecked options are denied. Required Options: The user is forced to set up the authentication method from the following options. TPM startup – BitLocker uses TPM, if present. Startup PIN – BitLocker uses the TPM, if present, and requires a startup PIN to be configured by the user. Startup Key – BitLocker uses the TPM, if present, and requires a startup key (stored in an inserted USB drive) to be used to unlock the drives. The unchecked options are denied. Exception: Microsoft Surface tablets do not support the use of the Startup PIN. So, when a policy is applied with Startup PIN enabled under Allow Options/Required Options, executing the Force BitLocker Encryption action will fail with the error message: “No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. (Exception from HRESULT: 0x803100B5).”
Minimum PIN length	Enter the minimum startup PIN length if TPM and PIN are required during BitLocker enablement. You can set a value in the range 6 (default) – 20 digits.

Settings

Description

Allow BitLocker to be activated on devices without a compatible TPM

Check whether your device has a compatible TPM (more info).

Tick this option to enable users to configure BitLocker on the device without a compatible TPM.

If the option is disabled and the device doesn’t contain a compatible TPM, encrypting the device using the ‘Force BitLocker Encryption’ remote action will fail.

Note:

For systems that do not have a TPM, either a fallback password or a startup key is required for startup. The startup key is stored on a USB flash drive.

Configure advanced authentication options for devices with compatible TPM

Configure the additional authentication requirements, including the use of the Trusted Platform Module (TPM) or startup PIN requirements.

Allow options: The user can choose whether to configure additional authentication using the allowed options.
1. TPM startup – BitLocker can use TPM, if present.
2. Startup PIN – BitLocker uses the TPM, if present, and allows a 6- to 20-digit startup PIN to be configured by the user.
3. Startup Key – BitLocker uses the TPM, if present, and allows a startup key (stored in an inserted USB drive) to be present to unlock the drives.
The unchecked options are denied.
Required Options: The user is forced to set up the authentication method from the following options.
1. TPM startup – BitLocker uses TPM, if present.
2. Startup PIN – BitLocker uses the TPM, if present, and requires a startup PIN to be configured by the user.
3. Startup Key – BitLocker uses the TPM, if present, and requires a startup key (stored in an inserted USB drive) to be used to unlock the drives.
The unchecked options are denied.

Exception:

Microsoft Surface tablets do not support the use of the Startup PIN. So, when a policy is applied with Startup PIN enabled under Allow Options/Required Options, executing the Force BitLocker Encryption action will fail with the error message:

“No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. (Exception from HRESULT: 0x803100B5).”

Minimum PIN length

Enter the minimum startup PIN length if TPM and PIN are required during BitLocker enablement.

You can set a value in the range 6 (default) – 20 digits.

Configure pre-boot recovery message and URL

Check this option to configure a custom pre-boot recovery message and URL so as to guide users on how to find their recovery password. The recovery message and URL are visible to the user when they’re locked out of their PC in recovery mode.

Note:

Leaving both the Recovery message and Recovery URL fields blank will make the system use its default recovery message and URL.

Configure recovery options

Enable this setting to configure additional options for the recovery of encrypted OS drives in the absence of the required startup key information.

Note:

If this option has not been enabled while deploying the policy and the end user is locked out of the device without the recovery information, there is no alternative to using the device again other than to wipe the drive and reinstall the OS.

Make sure you enable the Escrow recovery password to Hexnode UEM while configuring the BitLocker policy so that the recovery password can still be retrieved from the UEM console.

Configure recovery options

Settings	Description
Users must generate a recovery key or password	Specify whether the user is required to generate a 48-digit recovery password or insert a USB flash drive containing a 256-bit recovery key. The options include: Only Recovery Key Only Recovery Password Both Recovery Key and Password Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS)	Configure this option to store the BitLocker recovery information on OS drives to Active Directory Domain Services. (This includes both Azure AD and on-premises AD. Depending on the connection, an appropriate directory will be used.)Available options include: Password Only – Only the recovered password is stored in AD DS. The recovery key packages might not be accessible when needed. Password and Key – Both the BitLocker recovery password and key package are stored in AD DS. Disable – BitLocker recovery information is not backed up to AD DS. Notes: To see the BitLocker recovery information, administrative roles within Azure AD should have microsoft.directory/bitlockerKeys/key/read permission. For more information on which Azure AD roles have which permissions, see Azure AD role descriptions. The BitLocker Recovery Password Viewer for Active Directory users and computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in the Active Directory. If TPM startup is set as the required option under Configure advanced authentication options for devices with compatible TPM and the recovery information is generated, it is advised to save BitLocker info to AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.
Block certificate-based data recovery agent	Check this option to block the ability to use Data Recovery Agent (DRA) to recover BitLocker-protected operating system drives. Notes: Data recovery agents are individuals who can use their credentials to unlock the drive. The OS drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. To use DRA for BitLocker, it must be added from the Public Key Policies item to either the Group Policy Management Console or the Local Group Policy Editor.
Hide recovery options on the device	Tick this option to prevent users from specifying extra recovery options such as printing recovery keys when they enable BitLocker on an OS drive through a setup wizard.
Do not enable BitLocker until recovery information is stored in AD DS	Check this option to disable BitLocker unless the computer is connected to a domain and the backup of BitLocker recovery information to AD DS succeeds.

Fixed Drive Settings

Configure BitLocker fixed drive policy

Enable this option to configure the BitLocker fixed drive settings.

Configure BitLocker fixed drive policy

Settings	Description
Configure encryption method	Configure the algorithm and cipher strength used by BitLocker Drive Encryption for fixed drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256. BitLocker uses the default encryption method of XTS-AES 128-bit when this option is not configured. Note: Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. If you have specified the encryption method for a fixed drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.
Block access to drives not protected by BitLocker	Deny write access to fixed drives that are not BitLocker-protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted.
Configure recovery options	Check this option to recover the encrypted fixed drives in the absence of the required credentials. Note: If this option has not been enabled while deploying the policy and the end user is locked out of the device without the recovery information, there is no alternative to using the device again other than to wipe the drive and reinstall the OS. Make sure you enable the Escrow recovery password to Hexnode UEM while configuring the BitLocker policy so that the recovery password can still be retrieved from the UEM console.

Configure recovery options

Settings	Description
Users must generate a recovery key or password	Specify whether users are required to generate a 48-digit recovery password or a 256-bit recovery key. The options include: Only Recovery Key Only Recovery Password Both Recovery Key and Password Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS)	You may configure this option if you want to store the BitLocker recovery information on fixed data drives to Active Directory Domain Services. (This includes both Azure AD and on-premises AD. Depending on the connection, an appropriate directory will be used.) Available options include: Password Only – Only the recovered password is stored in AD DS. The recovery key packages might not be accessible when needed. Password and Key – Both the BitLocker recovery password and key package are stored in AD DS. Disable – BitLocker recovery information is not backed up to AD DS. Notes: To see the BitLocker recovery information, administrative roles within Azure AD should have microsoft.directory/bitlockerKeys/key/read permission. For more information on which Azure AD roles have which permissions, see Azure AD role descriptions. If TPM startup is set as the required option under Configure advanced authentication options for devices with compatible TPM and the recovery information is generated, it is advised to save BitLocker info to AD DS. It would prevent losing access to the drive if TPM is damaged and recovery info is lost.
Block certificate-based data recovery agent	Check this option to block the ability to use Data Recovery Agent (DRA) to recover BitLocker-protected fixed drives.
Hide recovery options on the device	Tick this option to prevent users from specifying extra recovery options such as printing recovery keys when they enable BitLocker on a fixed drive through a setup wizard.
Do not enable BitLocker until recovery information is stored in AD DS	Check this option to disable BitLocker unless the computer is connected to a domain and the backup of BitLocker recovery information to AD DS succeeds.

Removable Drive Settings

Configure BitLocker removable drive policy

Enable this option to configure the BitLocker removable drive settings.

Configure BitLocker removable drive policy

Settings	Description
Configure encryption method	Configure the algorithm and cipher strength used by BitLocker Drive Encryption for removable drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256. BitLocker uses the default encryption method of AES CBC 128-bit when this option is not configured. Note: Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. If you have specified the encryption method for a fixed drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.
Block access to drives not protected by BitLocker	Deny write access to removable drives that are not protected by BitLocker. If an inserted removable drive is not encrypted, the user must complete the BitLocker setup wizard for the drive before write access is granted.

Settings

Description

Configure encryption method

Configure the algorithm and cipher strength used by BitLocker Drive Encryption for removable drives. Choose either of the options from AES CBC 128, AES CBC 256, XTS-AES 128, and XTS-AES 256.

BitLocker uses the default encryption method of AES CBC 128-bit when this option is not configured.

Note:

Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.
If you have specified the encryption method for a fixed drive, it is necessary that you do the same for all the other drive types. If the encryption method is not specified for a drive type, default configurations will be sent.

Block access to drives not protected by BitLocker

Deny write access to removable drives that are not protected by BitLocker. If an inserted removable drive is not encrypted, the user must complete the BitLocker setup wizard for the drive before write access is granted.

How to check whether your device has a compatible TPM?

Method 1

Press Win+R and open Run > Type tpm.msc > Click OK to open the TPM Management snap-in console.
It will show whether your device has a compatible TPM or not.

Method 2

Press Win+R and open Run > Type tpm.msc > Click OK to open the Device Manager.
Check to see if you have Security devices listed. If yes, expand Security devices to see if you can see a TPM with its version number.

Method 3

Beginning with Windows 10, version 1803, you can check TPM status in Windows Defender Security Center > Device Security > Security processor details.

Apply the BitLocker configuration to target entities using Hexnode UEM

There are two ways by which you can associate restrictions to the devices in bulk.

If you haven’t saved the policy yet,

Navigate to Policy Targets.
Click on + Add Devices, search and select the required device(s) to which you need to apply the policy. Click OK.
Click on Save to apply the policies to the devices.

Note:

To associate the policies to a device group, select Device Groups from the left pane under Policy Targets, and follow the above instructions. Similarly, you can associate the policy to Users, User Groups, or Domains from the same pane.

If you’ve already saved the policy and taken to the page which displays the policy list,

Select the required policy.
Click on Manage and select Associate Targets.
Search and select the devices/ users/ device groups/ user groups/ domains to which you need to apply the policy. Click Associate.

Note:

Applying the BitLocker policy to a device with Device encryption enabled will result in policy failure. For the successful application of the BitLocker policy, it is mandatory to manually decrypt the BitLocker beforehand. Users can verify whether the Device encryption feature is already enabled on their device by navigating to Settings > Privacy and security > Device encryption before applying the policy.
Once the BitLocker policy is applied to your Windows PC, fixed data drives and removable data drives become write-protected (if the appropriate options are checked) until the BitLocker encryption is completed from the user end.

block disk write on system and removable data drives

Possible group policy conflicts

When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required.
Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted.
When the OS drive is to be encrypted, if the device has no compatible TPM, “Allow BitLocker without a compatible TPM” should be checked.
You cannot create both a recovery key and a recovery password at the same time.
If one startup authentication method is required, the other method cannot be allowed. If you require the startup key, you must not allow the startup PIN and vice versa.
If the deny write access to removable drives not protected by the BitLocker policy setting is enabled, the option to generate a recovery key must be disallowed.
Backup of BitLocker recovery information to AD DS must be enabled if both the recovery options are disallowed.

Need more help?

Raise a Ticket

Ask Community

Chat With us