Configure Windows 10 BitLocker encryption for managed Windows 10 devices and secure corporate data on Azure Ad-joined devices.
Information security is one of the most critical responsibilities of enterprise IT teams. With the influx of digital devices into the enterprise environment, enterprise IT teams have to implement robust data protection policies on the devices while ensuring that the employees imbibe a culture of security while handling corporate data. With remote working, the security profile of an organization is practically tested, since devices are connected to unknown, unmonitored networks or the corporate data is accessed on BYO PCs.
Addressing security concerns on BYO devices as well as remote working devices is urgent and Microsoft offers several solutions to protect corporate data with the help of a mobile device management solution such as Windows Information Protection (WIP) and BitLocker.
In this article, we will have a look at the several security features of BitLocker and how to turn it on using Scalefusion MDM.
What is Windows 10 BitLocker?
BitLocker is an in-built feature offered by Microsoft that facilitates full-volume encryption to protect corporate data. BitLocker is designed to integrate at the OS level to address security threats such as data theft or data exposed on lost, stolen or decommissioned/retired devices. BitLocker essentially enables full volume encryption to ensure data security. BitLocker makes use of the AES encryption algorithm in cipher block chaining (CBC) or XTS mode[1] with a 128-bit or 256-bit key.
When your device drives are protected using BitLocker, they cannot be accessed when physically attached to another device. Unlike other security options, BitLocker helps in securing the corporate data even when the device is offline. So while the MDM’s security features extensively safeguard the data when it is connected to the internet, BitLocker secures the data from unauthorized access and misuse when the device is offline.
Benefits of BitLocker for Windows 10
- It is a proprietary encryption feature by Windows offered to protect corporate data as well as system data and it is free.
- It only requires the devices to be connected to the internet/network at the time o configuration and works offline
- It helps in setting up multi-factor authentication while accessing system drives
- It makes up for a great backup mechanism in case your system crashes.
Requirements for Microsoft BitLocker
BitLocker works in sync with the computers that have TPM (Trusted Platform Module) technology of version 1.2 or later. BitLocker can also be enabled on the computers that do not have TPM 1.2 or later but the enablement process will have to be initiated by inserting a USB startup key to start the computer or resume from hibernation.
Using Scalefusion MDM for Windows 10, enterprise IT teams can configure and enable BitLocker encryption for managed Windows 10 devices.
Prerequisites for Enable Windows 10 BitLocker Encryption using Scalefusion MDM
- Windows 10 v1809+ version devices with Windows Pro, Enterprise and Education Editions
- Azure AD-based setup on Scalefusion MDM
Configuring Windows 10 BitLocker Encryption using Scalefusion MDM
Watch a step-by-step video walkthrough
Getting started:
Signup and login to the Scalefusion dashboard. Enroll devices and configure them into MDM using Azure AD-based enrollment. You can push a profile which is a policy setting on the devices including allowed apps and websites.
Step by Step Process to Setup BitLocker for Data Protection.
Step 1:
Move to the settings section of the Device profile. Enable the BitLocker encryption to start the configuration.
Step 2:
Configure the Base settings. You can choose the encryption method and the settings for Azure AD joined devices.
Step 3:
Configure the startup authentication settings. For computers without TPM, select the ‘allow BitLocker on PCs without a Trusted Platform Module(TPM)’ option. Set the authentication method and minimum length of the PIN for startup.
Step 4:
Configure the recovery options or system drives. You can set the policies for recovery, set the recovery key and configure the preboot recovery message. You can check the entire list of settings available here.
Step 5:
In this step, you can configure the recovery options for fixed drives. These options are similar to the system drives but these are set for non-system drive partitions.
Step 6
Select the write access settings. You can disable the write access to the drives until they are encrypted preventing any malware from reading/accessing the data on your drives.
Save the profile settings and apply it to the managed Windows 10 devices to leverage encryption using BitLocker. Scalefusion MDM facilitates the configuration of BitLocker on Azure Ad-joined devices, streamlining the device and data security management of Windows 10 devices used for work.
