Secure your organization data on Windows 7 devices using the native BitLocker encryption with the Encryption profile. BitLocker encryption policy is only available on Windows 7 Ultimate and Enterprise, Windows 8 Enterprise and Pro, and Windows 10 Enterprise, Education, and Pro devices.

Because laptops and tablets are mobile devices by design, they risk your organization data being lost or stolen. By enforcing a BitLocker encryption policy through AirWatch, you can protect data on the hard drive. BitLocker is the native Windows encryption that AirWatch supports. The Encryption profile continually checks the encryption status of the device. If the profile finds that the device is not encrypted, it automatically encrypts the device.

If you decide to encrypt with BitLocker, a recovery created during encryption is stored in the AirWatch Console.

Note:

The BitLocker Encryption profile requires the AirWatch Protection Agent to be installed on the device.

Deploying an Encryption Profile

The Windows native BitLocker encryption secures data on Windows 7. Deploying the encryption profile requires more actions from the end user.

Note:

For BitLocker encryption to take place, the device must have Trusted Platform Module (TPM) enabled. The exact process to enable and activate TPM may vary from one system to another but is typically done by restarting the device and accessing the BIOS security settings.

Pushing BitLocker Profiles

The BitLocker encryption uses a wizard to enable and activate the encryption on end-user devices. Note the following important points when pushing BitLocker to end users:

  • If Enforce Encryption PIN to Login is enabled, end users are prompted to create a 4–20 digit PIN that is used every time the machine is restarted.
    • This PIN is required even during restarts required by encrypting and decrypting the drive.
  • The end users are prompted to select a local recovery key storage path. The recovery key is saved as a TXT file at the selected path.
  • If TPM is not enabled, BitLocker encryption cannot take place. If TPM is enabled but not active, the wizard restarts the device to activate it. This reboot requires the end user to accept the change.

BitLocker and the AirWatch Console

If BitLocker is enabled and in use, you can see encryption status reports in the following areas:

  • AirWatch Dashboard
    • Device Details displays recovery key information.
    • Encryption progress (percentage) or completion at the time of the device sample displays.
    • BitLocker protection displays as enabled.
  • AirWatch Self-Service Portal (SSP)
    • Self-Service Portal displays that the recovery key is stored in AirWatch, but does not display recovery key details.
    • Encryption progress (percentage) or completion displays.
    • BitLocker protection displays as enabled.
Note:

During device encryption, the profile may display as Not Installed in the AirWatch Console. Once encryption of the device reaches 100%, the profile displays as installed.

Removal Behavior

If the profile is removed from the AirWatch Console, AirWatch no longer enforces the encryption and the end user is free to decrypt. Enterprise wiping or manually uninstalling the AirWatch Protection Agent from the Control Panel does not turn off BitLocker. The device end user must decrypt from the Control Panel.

If the end user decides to unenroll during the BitLocker encryption process, the encryption process continues unless it is turned off manually from the Control Panel.

Encryption Warnings

Only manage BitLocker encryption with the Encryption profile, or the device may report incorrect information and become unmanageable. Some sample scenarios include:

  • If the user decrypts BitLocker from the entire system or any drives using the Control Panel, the device becomes unmanageable as the status may not display correctly. A device is encrypted with BitLocker from the AirWatch Console, it must be decrypted from the AirWatch Console as well.
  • Once the user initiates the encryption or decryption process, do not change the TPM settings as it may cause instability and unwanted behavior.