The existing data stored on this drives can be read always.
This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.Ĭonfigure Pre-boot Recovery Message and URL Prevent users from specifying recovery options when they turn on BitLocker on a drive. Hide Recovery Options from BitLocker setup wizard Prevent users from configuring BitLocker until they join their devices to Azure AD. Select information to Sync to Azure AD Domain ServicesĬhoose what information related to BitLocker recovery should be used to sync with Azure AD.ĭisable BitLocker Until Recovery Information is synced to Azure AD DS This setting works only if the device is Azure AD joined Sync BitLocker Recovery Information to Azure ADĮnable this to Sync the BitLocker recovery/escrow keys to Azure AD.
Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor.Ĭonfigure if users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Recovery Options for System Drives: If you have configured the startup authentication then this method allows you to configure the recovery mechanisms for System drives (the drive that hosts the OS),Ĭonfigure Recovery Option for System DrivesĮnable this to configure the recovery options.Īllow Certificate Based Data Recovery Agent.This setting works only if authentication method includes PIN. Removable Data Drives: Defaults to AES-CBC 128-bit.Fixed Data Drives: Defaults to AES-CBC 128-bit.Operating System Drives: Defaults to XTS-AES 256-bit.Click on Show to see the settings,Ĭhoose an encryption algorithm for the various disk drives, BitLocker Base Settings: The first section control the basic encryption settings.This allows you to start configuring various settings and this will show a notification to the end users that they need to configure BitLocker, To configure BitLocker by enabling Prompt for Device Encryption.Once in the Device Profile wizard, click on the Settings > BitLocker section to configure BitLocker settings,.Click on a Windows Device profile and edit or create a new Windows Device profile. Navigate to Device Management > Device Profiles.Follow the steps below to configure a BitLocker policy, The first step is to configure a BitLocker policy that can be then pushed to devices. Please make sure to go through our Conflicting Scenarios section to understand the settings to avoid. The settings offered by BitLocker may cause some conflicts if not configured properly. We also cover the user experience once BitLocker policy is pushed to devices.
The following document guides you on how to setup BitLocker and push the configuration on devices.
Further on Azure AD joined devices the BitLocker encryption can be enforced and automated. Scalefusion lets IT Admins configure BitLocker settings and apply these settings to the Windows 10 managed devices.
However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. The TPM is a hardware component installed in many newer computers by the computer manufacturers. BitLocker integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.īitLocker works best when used on computers with Trusted Platform Module (TPM) version 1.2 or later.