Secure your organization data on Windows Desktop devices with the Encryption profile. The Encryption profile sets the native BitLocker encryption policy on your Windows Desktop devices to ensure data remains secure.

BitLocker encryption is only available on Windows 8 Enterprise and Pro and Windows 10 Enterprise, Education, and Pro devices.

Because laptops and tablets are mobile devices by design, they risk your organization data being lost or stolen. By enforcing an encryption policy through AirWatch, you can protect data on the hard drive. BitLocker is the native Windows encryption and Dell Data Protection | Encryption is a third-party encryption solution from Dell. With the Encryption profile enabled, the AirWatch Protection Agent continually checks the encryption status of the device. If the agent finds that the device is not encrypted, it automatically encrypts the device.

If you decide to encrypt with BitLocker, a recovery key created during encryption is stored in the AirWatch Console and in the Self-Service Portal.

The Encryption profile requires the AirWatch Protection Agent to be installed on the device.

Note:

The Encryption profile does not configure or enable Dell Data Protection | Encryption. The status of the encryption is reported to the AirWatch Console and Self-Service Portal, but the encryption must be configured manually on the device.

Caution:

Windows 10 does not support devices without a pre-boot onscreen keyboard. Without a keyboard, you cannot enter the start up pin necessary to unlock the hard drive and start Windows on the device. Pushing this profile to devices without a pre-boot onscreen keyboard breaks your device.

BitLocker Functionality

The Encryption profile uses advanced BitLocker functionality to control authentication and deployment of BitLocker encryption.

BitLocker uses the Trusted Platform Module (TPM) on devices to store the recovery password on the device to decrypt hard drives connected to the motherboard. If the drive is removed from the motherboard, the drive does not decrypt. For enhanced authentication, you can enable an encryption PIN to confirm user authentication. You can also require a password for devices as a fallback for when the TPM is not available.

Deployment Behavior

The Windows-native BitLocker encryption secures data on Windows Desktop devices. Deploying the encryption profile requires more actions from the end user.

Note:

For BitLocker encryption to take place on a Windows 8.1 device, the device must have TPM enabled and activated. The exact process to enable and activate TPM might vary from one system to another but is typically done by restarting the device and accessing the BIOS security settings.

Already-Encrypted Devices

If the Encryption profile is pushed to an encrypted device and the current encryption settings match the profile settings, the AirWatch Protection Agent adds a new recovery key and sends it to the AirWatch Console. This new recovery key is also stored in an encrypted database on the device. With this feature, if a user or an admin attempts to decrypt the device, the Encryption profile re-encrypts the device with the new recovery key. The encryption is enforced even if the device is offline.

If the existing encryption does not meet the authentication settings of the Encryption profile, the existing protectors are removed and new protectors are applied that meet the Encryption profile settings.

If the existing encryption method does not match the Encryption profile, AirWatch leaves the existing method in place and does not override it. This functionality also applies if you add a new version of the Encryption profile to a device managed by an existing Encryption profile. The existing encryption method is not changed.

Encryption Status

If BitLocker is enabled and in use, you can see status reports about the encryption status in the following areas:

  • AirWatch Dashboard
    • Device Details displays recovery key information.
    • BitLocker protection displays as enabled.
  • AirWatch Self-Service Portal
    • Self-Service Portal displays that the recovery key is stored, but not the recovery key details.
    • BitLocker protection displays as enabled.

Removal Behavior

If the profile is removed from the AirWatch Console, AirWatch no longer enforces the encryption and the device automatically decrypts. Enterprise wiping or manually uninstalling the AirWatch Protection Agent from the Control Panel disables BitLocker encryption.

If the end user decides to unenroll during the BitLocker encryption process, the encryption process continues unless it is turned off manually from the Control Panel.