Allowing BitLocker encryption on Windows 10 devices
BitLocker Drive Encryption is a data protection feature of the operating system that helps mitigate unauthorized data access when a device is lost or stolen. You can allow BitLocker encryption on
Windows 10devices and protection is strengthened if the device also has a Trusted Platform Module (TPM), which gives you the option to require additional authentication at startup (for example, a startup key, PIN, or removable USB drive). In
BlackBerry UEM, you can also create a compliance profile to prevent users from disabling BitLocker to enforce its use on devices that require encryption.
You can configure the recovery options to access a BitLocker-protected operating system or data drives. Users can access recovery keys from the
Active Directoryconsole, and if enabled, recovery passwords can be backed up to
Active DirectoryDomain Services so that an administrator can recover them using the BitLocker Recovery Password Viewer tool.
Configure the following
UEMIT policy rules to support BitLocker encryption on
- BitLocker encryption method for desktop
- Allow storage card encryption prompts on the device
- Allow BitLocker Device Encryption to enable encryption on the device
- Set default encryption methods for each drive type
- Require additional authentication at startup
- Require minimum PIN length for startup
- Pre-boot recovery message and URL
- BitLocker OS drive recovery options
- BitLocker fixed drive recovery options
- Require BitLocker protection for fixed data drives
- Require BitLocker protection for removable data drives
- Allow recovery key location prompt
- Enable encryption for standard users
For more information about the BitLocker IT policy rules, see the Policy Reference Spreadsheet.