How to force BitLocker encryption on Windows with Hexnode UEM? - Hexnode Help Center (2024)

Table of Contents
Force BitLocker Encryption on OS drive What happens at the device end?

BitLocker is Microsoft’s native device encryption software, developed to protect data by enforcing encryption of OS drives, fixed data drives, and removable drives on Windows devices. With Hexnode’s BitLocker encryption policy, administrators can configure encryption and recovery settings for the devices. However, the policy only prompts the user to encrypt the device. By executing the Force BitLocker Encryption action, admins can encrypt the OS drive with a PIN or password remotely, ensuring the system drive is safe and secure.

Note:


It is recommended to deploy the BitLocker encryption policy before executing this action to ensure encryption with preferred configurations.

Force BitLocker Encryption on OS drive

You can follow the steps given below to force encrypt the OS drive on the Windows device.

  1. From your Hexnode portal, navigate to the Manage tab and select your device.
  2. Click on Actions > Force BitLocker Encryption.
  3. You can choose whether to encrypt the entire drive or just the used space.
    • Encrypt used disk space: This option is recommended when setting up BitLocker on a new drive or new PC, as this encrypts the part of the drive currently being used. BitLocker will encrypt any new data automatically added thereafter.
    • Encrypt entire drive: This option is recommended when setting up BitLocker on a drive that is already in use, as encrypting the entire drive ensures that all data is protected, i.e., even the data that has been deleted. This offers more security as the drive might hold info that can be used to retrieve the deleted data using third-party tools.
  4. TPM Startup PIN: Provide a PIN to be used to unlock the drive every time the system is rebooted. You must provide a 6-20 digit PIN as per the Minimum PIN length set in the BitLocker policy.

    5. Notes:

    • Startup PIN must be selected in the BitLocker policy under OS Drive Settings > Configure additional startup authentication settings > Allow Options/Required Options for the PIN to be set.
    • In case a BitLocker policy is not set, the device must be configured manually to allow/require a startup PIN. To configure, follow the given steps:
      1. Click Windows+R on the Windows device to launch Run command window.
      2. Type gpedit.msc and click on OK.
      3. In the Local Group Policy Editor window, navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Device Encryption > Operating System Drives.
      4. Click and open “Require additional authentication at startup”.
      5. Click on Enabled.
      6. From the provided options, ensure that “Configure TPM startup PIN:”, is set to either “Allow startup PIN with TPM” or “Require startup PIN with TPM”.
      7. Click on OK.
  5. Fallback Password: Provide a password to be used to unlock the drive on devices that do not have a supported TPM. In such cases, the drive will be encrypted with the Fallback Password instead of the TPM Startup PIN. You must provide a password with at least 8 characters to proceed with the action.
  6. Mandate and escrow a recovery password: Check this option to ensure that a recovery password is generated and escrowed to your portal. The recovery password can then be viewed on the portal under the details for the encrypted system drive at Device Summary > Hardware Info tab for the device.

    Disclaimer:


    If unchecked, the device may not generate a recovery password. In such a case, the BitLocker recovery may fail if the PIN or password is lost. It is recommended to uncheck this option only if the recovery password/key can be manually obtained from the device.

  7. Click on Proceed.

Notes:

  • To execute the action, please ensure the following while configuring the policy.
    • The Startup key must not be set under “Required Options” for the additional startup authentication settings in the BitLocker policy
    • The recovery key must not be set as a required option for the recovery options in the BitLocker encryption policy.
  • Please save the provided TPM Startup PIN and Fallback Password for unlocking the device. Hexnode UEM can only retrieve the recovery password that can be used to recover the device if the PIN or password is lost.

What happens at the device end?

BitLocker is enabled for the OS drive on the device based on the configurations set in the BitLocker policy. If no BitLocker policy is associated with the device, the drive is encrypted using the device’s default BitLocker configurations. The user can check the same on the device by navigating to Control Panel > System and Security > BitLocker Drive Encryption.

How to force BitLocker encryption on Windows with Hexnode UEM? - Hexnode Help Center (2024)
Top Articles
Can HDD be repaired? - Rossmann Repair Group
Most hard drives have a lifespan of three to five years. Have you checked yours lately?
Rosy Boa Snake — Turtle Bay
Radikale Landküche am Landgut Schönwalde
It's Official: Sabrina Carpenter's Bangs Are Taking Over TikTok
Find All Subdomains
Wild Smile Stapleton
Lesson 1 Homework 5.5 Answer Key
Devourer Of Gods Resprite
My Vidant Chart
Mikayla Campinos Videos: A Deep Dive Into The Rising Star
Evangeline Downs Racetrack Entries
The Binding of Isaac
Bc Hyundai Tupelo Ms
Costco Gas Foster City
Grab this ice cream maker while it's discounted in Walmart's sale | Digital Trends
Paradise leaked: An analysis of offshore data leaks
Q33 Bus Schedule Pdf
Walgreens San Pedro And Hildebrand
Air Force Chief Results
G Switch Unblocked Tyrone
Craigslist Sparta Nj
Kountry Pumpkin 29
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Egizi Funeral Home Turnersville Nj
Certain Red Dye Nyt Crossword
Understanding Gestalt Principles: Definition and Examples
Getmnapp
2023 Ford Bronco Raptor for sale - Dallas, TX - craigslist
The Clapping Song Lyrics by Belle Stars
Schooology Fcps
The Latest: Trump addresses apparent assassination attempt on X
Metro By T Mobile Sign In
How to Play the G Chord on Guitar: A Comprehensive Guide - Breakthrough Guitar | Online Guitar Lessons
Hellgirl000
Has any non-Muslim here who read the Quran and unironically ENJOYED it?
Search All of Craigslist: A Comprehensive Guide - First Republic Craigslist
Casamba Mobile Login
Wasmo Link Telegram
Shipping Container Storage Containers 40'HCs - general for sale - by dealer - craigslist
Foxxequeen
Pink Runtz Strain, The Ultimate Guide
Noh Buddy
Perc H965I With Rear Load Bracket
Sinai Sdn 2023
UNC Charlotte Admission Requirements
Mit diesen geheimen Codes verständigen sich Crew-Mitglieder
Mkvcinemas Movies Free Download
Suzanne Olsen Swift River
Famous Dave's BBQ Catering, BBQ Catering Packages, Handcrafted Catering, Famous Dave's | Famous Dave's BBQ Restaurant
Latest Posts
How to Wipe a Hard Drive - Northeast Data Destruction
Erasing Hard Drives With Magnets | High Tech Recycling
Article information

Author: Pres. Lawanda Wiegand

Last Updated:

Views: 6493

Rating: 4 / 5 (51 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.