fbpx

ES-DV01: Enable Windows 10 and Later Disk Encryption (BitLocker)

Introduction

This configuration will silently enable BitLocker encryption on OS and Fixed drives for Windows 10 and later devices. The BitLocker recovery keys will be backed up to Azure AD and rotated automatically after they are used on a device.

  • Encrypt Operating System drive and fixed drives using AES 256bit XTS
  • Encrypt drive using TPM, without a pin or startup key
  • Configure BitLocker silently without any user interaction
  • Save BitLocker recovery keys to Azure AD
  • Allow silently enabling BitLocker during Azure AD Join for users who are not local administrators
  • BitLocker won’t be enabled until recovery keys have been successfully saved to Azure Active Directory

BitLocker will only be enabled if TPM is present and usable

Requirements

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware
  • TPM (Trusted Platform Module) 1.2 or later
  • Devices must have the BIOS configured for UEFI boot mode
  • The Device must be enrolled into Microsoft Endpoint Manager

Profile Settings

BitLocker – Base Settings

Enable full disk encryption for OS and fixed data drivesYes
Hide prompt about third-party encryptionYes
Allow standard users to enable encryption during AutopilotYes
Configure client-driven recovery password rotationEnable rotation on Azure AD and Hybrid-joined devices

BitLocker – Fixed Drive Settings

BitLocker fixed drive policyConfigure
Fixed drive recoveryConfigure
Recovery key file creationAllowed
Configure BitLocker recovery packagePassword and key
Require device to back up recovery information to Azure ADYes
Recovery password creationAllowed
Hide recovery options during BitLocker setupYes
Enable BitLocker after recovery information to storeYes
Block write access to fixed data-drives not protected by BitLockerYes
Configure encryption method for OS drivesAES 256bit XTS

BitLocker – OS Drive Settings

BitLocker system drive policyConfigure
Startup authentication requiredYes
Compatible TPM startupRequired
Compatible TPM startup PINBlocked
Compatible TPM startup KeyBlocked
Compatible TPM startup key and PINBlocked
Disable BitLocker on devices where TPM is incompatibleYes
System drive recoveryConfigure
Recovery key file creationAllowed
Configure BitLocker recovery packagePassword and key
Require device to back up recovery information to Azure ADYes
Recovery password creationAllowed
Hide recovery options during BitLocker setupYes
Enable BitLocker after recovery information to storeYes
Minimum PIN length10
Configure encryption method for OS drivesAES 256bit XTS

BitLocker – Removable Drive Settings

BitLocker – Removable Drive SettingsConfigure
Configure encryption method for removable data-drivesAES 256bit XTS

Assignments

Users, Groups and Devices

Includes– All Users

Get Started!

The first three tenants are free! No credit card required.

Sign Up