BitLocker is an encryption feature built into computers running Windows. It secures your data by scrambling it so it can’t be read without using a recovery key. BitLocker differs from most other encryption programs because it uses your Windows login to secure your data; no extra passwords are necessary. Once you’re logged in, you can access your files normally. After you log out, everything’s secured.
ºÚÁϺ£½Ç91Èë¿Ú’s BitLocker policy lets IT Admins remotely enforce BitLocker Full Disk Encryption (FDE) on ºÚÁϺ£½Ç91Èë¿Ú-managed devices.
Considerations:
- There are potentially many variations in Windows devices and BIOS policies. It’s best practice to test and verify impactful and fundamental security features. We recommend that admins deploy the BitLocker policy in a controlled fashion, prior to widespread deployment.
- Some devices ship or have configured in their BIOS the ability to Require Physical Presence when modifying the TrustedPlatformModule (TPM). For these devices, a prompt that requires confirmation is shown when an attempt is made to modify and clear the TPM. This confirmation is required for the policy to utilize the TPM in BitLocker. If a user dismisses the confirmation, BitLocker could be enabled and be out of sync with the TPM. This should be tested and managed accordingly.
- Before you remove a device with the BitLocker policy, see Removing Windows Devices with the BitLocker Policy.
- ºÚÁϺ£½Ç91Èë¿Ú supports international languages in BitLocker encryption. The following languages have been verified by ºÚÁϺ£½Ç91Èë¿Ú:
- English
- German
- French
- Spanish
- Chinese
Encryption Considerations:
- The BitLocker policy leverages AES-256 for its encryption method.
- Due to the security vulnerabilities associated with hardware encryption, the BitLocker policy uses software encryption. For more information, see .
- On the Device Details page, the disk encryption status that displays under both the Details and System Insights drop-downs may take up to 2 hours to populate, and both fields may not populate at the same time.
Prerequisites:
- Target devices must be running on Windows 10 Pro/Enterprise or Windows 11 Pro/Enterprise. The policy will fail if enabled on Windows 10 Home or Windows 11 Home Editions.
- Trusted Platform Module (TPM) Requirements:
- Device must have a TPM 2.0 chip present to enable BitLocker.
- TPM must not have multiple numerical passwords currently stored.
- TPM must be active.
- TPM must allow ownership.
- TPM must not currently be owned.
- External drives, CDs, or DVDs can not be mounted, or else BitLocker can struggle to determine which volume it needs to encrypt when the policy is run.
The Windows Allow BitLocker without a compatible TPM option isn't supported by ºÚÁϺ£½Ç91Èë¿Ú.
Admin Experience
IT Admins can create a policy to force BitLocker encryption on managed devices and easily view Recovery Keys.
To create a BitLocker policy:
- Log in to the .
- Go to DEVICE MANAGEMENT > Policies.
- Under the All tab, click ( + ).
- Select the Windows tab.
- Select the BitLocker Full Disk Encryption policy, then click policy.
- (Optional) Select Encrypt All Non-Removable Drives to encrypt all fixed drives on the devices the policy will be enforced on.
- Apply the policy to a group of devices in the Device Groups list, or to an individual device in the Devices list.
- Click save.
After an Admin saves the policy, ºÚÁϺ£½Ç91Èë¿Ú enables BitLocker on the devices where this policy is applied.
- When the device's volume is completely encrypted, you can view a Recovery Key that can be used to unlock all encrypted drives on that device.
- The drive isn't fully encrypted until the policy result shows that it was applied successfully in the Admin Portal.
- Removing this policy doesn't disable BitLocker or remove key protectors.
The Admin must wait for the following actions to happen before viewing Recovery Key:
- A user sees a prompt requesting that they restart their device to enable BitLocker.
- In the Admin Portal, go to DEVICE MANAGEMENT > Policy Management.
- Verify that the Policy Status is updated to BitLocker Not Protected - Encryption has been enabled. Device drive encryption will begin on the next boot.
- The user restarts their device.
- BitLocker begins encrypting the user's volume.
After the drive is completely encrypted, Admins can view the Recovery Key:
- In the Admin Portal, go to DEVICE MANAGEMENT > Policy Management.
- Select the BitLocker Full Disk Encryption policy, and then select the Devices tab to display a list of encrypted devices.
- From the list, locate your desired device and click view key to display the device's Recovery Key. Users who are not administrators on the device can't disable BitLocker.
The view key button will not appear until the device is completely encrypted.
Checking Status of BitLocker Encryption
If you have System Insights enabled, you can view the status of your devices’ encryption in the Admin Portal.
To view the encryption status of the drives on a device:
- In the Admin Portal, go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab.
- Select the device, then select the Insights tab.
- View the status of the disk encryption under System and Hardware. The Encryption Status field displays one of these statuses:
- Decrypted
- Encrypted
- Encrypted (Suspended)
- ·¡²Ô³¦°ù²â±è³Ù¾±²Ô²µâ€¦(³Ý³Ý%)
- ¶Ù±ð³¦°ù²â±è³Ù¾±²Ô²µâ€¦(³Ý³Ý%)
- Encryption Paused (XX%)
- Decryption Paused (XX%)
User Experience
After a BitLocker policy is applied, users see the following behavior on their devices:
- A notification appears requesting that the user restart their device to enable BitLocker.
- After the user starts the device, BitLocker continues to encrypt the drive silently in the background until encryption is complete.
Expected Behavior
- If ºÚÁϺ£½Ç91Èë¿Ú detects that BitLocker is already enabled and only has one numerical password stored, we capture and store the Numerical Password (Recovery Key) in ºÚÁϺ£½Ç91Èë¿Ú.
- For custom BitLocker policies (for example, those not requiring TPM, utilizing TPM 1.2, utilizing PIN, etc.) the administrator has the ability to apply and set based on their requirements locally on the device. As long as the Protection Status is set to Protection On, and only one numerical key protector is present, ºÚÁϺ£½Ç91Èë¿Ú will capture and escrow this key accordingly. This allows Admins to not rely on the policy to set BitLocker, but still utilize ºÚÁϺ£½Ç91Èë¿Ú for storage of the keys. It's important to only apply the policy after the device is in this state, and protection is on, otherwise the policy will apply as previously stated.
- If you select Encrypt All Non-Removable Drives when creating the policy, you will receive a single Recovery Key for all drives.
Encryption Standard Outcomes
Encryption Status of Fixed Internal Drives | Outcome |
---|---|
Not encrypted when the ºÚÁϺ£½Ç91Èë¿Ú BitLocker policy was applied. | Drives will be encrypted to AES-256 standard. |
Previously encrypted to AES-128 standard. | Drives will retain the AES-128 encryption standard and their encryption key(s) will be escrowed in ºÚÁϺ£½Ç91Èë¿Ú. The drives will not be decrypted and re-encrypted to AES-256. |
Removing Windows Devices with the BitLocker Policy
When you delete devices where you applied the Windows BitLocker policy, Recovery Keys for that device are also deleted and no longer accessible from the Admin Portal.
Removing a BitLocker policy doesn't disable BitLocker or remove key protectors on the device.
If a device is deleted from ºÚÁϺ£½Ç91Èë¿Ú and it has a BitLocker policy:
- The device volume remains encrypted.
- You could potentially get locked out of the device with no way to recover it.
You can avoid getting locked out of a Windows BitLocker device by:
- Copying the Recovery Key before you remove it from ºÚÁϺ£½Ç91Èë¿Ú.
- Storing the copied key in a safe, accessible location.
You can copy keys from the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal and from the Windows command prompt.
To copy a Recovery Key from the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal:
- In the Admin Portal, go to DEVICE MANAGEMENT > Devices.
- Select the Devices tab, then select a Windows device with the BitLocker policy.
- In the rightmost column, click the Actions menu.
- From the dropdown, select Recovery Key. The Recovery Key modal displays the device’s recovery key.
To copy a Recovery Key from the Windows command prompt:
- On the Windows device, open a command prompt, running it as an administrator.
- Run the following command: manage-bde -protectors -get <drive letter>.
To remove a BitLocker recovery key stored in ºÚÁϺ£½Ç91Èë¿Ú from a device that has its disk fully decrypted:
- Remove the device from your ºÚÁϺ£½Ç91Èë¿Ú org.
- Install the ºÚÁϺ£½Ç91Èë¿Ú agent manually. See Installing the Windows Agent Manually.
If you need to re-encrypt the device, rebind the device to your original or new BitLocker policy in ºÚÁϺ£½Ç91Èë¿Ú. ºÚÁϺ£½Ç91Èë¿Ú will not overwrite an already saved or escrowed key from a previous BitLocker encryption on the same device. Because of this, you must perform the steps listed above to have a newly escrowed key saved in your ºÚÁϺ£½Ç91Èë¿Ú org from a disk re-encryption.
Troubleshooting
See Troubleshoot: BitLocker Policy for Windows Devices.