Skip Navigation

Allowing BitLocker encryption on
Windows 10
devices

BitLocker Drive Encryption is a data protection feature of the operating system that helps mitigate unauthorized data access when a device is lost or stolen. You can allow BitLocker encryption on
Windows 10
devices and protection is strengthened if the device also has a Trusted Platform Module (TPM), which gives you the option to require additional authentication at startup (for example, a startup key, PIN, or removable USB drive). In
BlackBerry UEM
, you can also create a compliance profile to prevent users from disabling BitLocker to enforce its use on devices that require encryption.
You can configure the recovery options to access a BitLocker-protected operating system or data drives. Users can access recovery keys from the
Active Directory
console, and if enabled, recovery passwords can be backed up to
Active Directory
Domain Services so that an administrator can recover them using the BitLocker Recovery Password Viewer tool.
Configure the following
UEM
IT policy rules to support BitLocker encryption on
Windows 10
devices:
  • BitLocker encryption method for desktop
  • Allow storage card encryption prompts on the device
  • Allow BitLocker Device Encryption to enable encryption on the device
  • Set default encryption methods for each drive type
  • Require additional authentication at startup
  • Require minimum PIN length for startup
  • Pre-boot recovery message and URL
  • BitLocker OS drive recovery options
  • BitLocker fixed drive recovery options
  • Require BitLocker protection for fixed data drives
  • Require BitLocker protection for removable data drives
  • Allow recovery key location prompt
  • Enable encryption for standard users
For more information about the BitLocker IT policy rules, see the Policy Reference Spreadsheet.