Create an Encryption profile to secure your data on Windows Desktop devices using the native BitLocker encryption.

Procedure

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.
  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.
  5. Select the Encryption profile and configure the settings:
    Settings Descriptions
    Encrypted Volume

    Use the drop-down menu to select the type of encryption as follows:

    • Complete Hard Disk – Encrypts the entire hard disk on the device, including the System Partition where the OS is installed.
    • System Partition – Encrypts a partition or drive in the same location Windows is installed and from which it boots.
    Encryption Method Select the encryption method for the device.
    Only encrypt used space during initial encryption Enable to limit the BitLocker encryption to only the used space on the drive at the time of encryption.
    Recovery Key URL

    Enter the URL to display on the lock screen directing end users to get the recovery key.

    Consider entering the Self Service Portal URL as Workspace ONE UEM hosts the recovery key there.

    Force Encryption

    Enable to force encryption on the device. This enforcement means that the device immediately re-encrypts if BitLocker is manually disabled.

    Consider disabling this setting to prevent issues during upgrades or Enterprise Wipes.

    Keep System Encrypted at All Times Enable this option to keep the device encrypted at all times. Use this option to ensure that device wipes, profile removals, or break in communication with Workspace ONE UEM does not decrypt the device.

    If this you enable this setting and wipe a device, you can only access the recovery from the Workspace ONE UEM console for 30 days. After 30 days, the system may be unrecoverable.

    Authentication Mode

    Select the method for authenticating access to a BitLocker encrypted device.

    • TPM — Uses the devices Trusted Platform Module. Requires a TPM on the device.
    • Password — Uses a password to authenticate.
    Enforce Encryption PIN on Login Select the check box to require users to enter a PIN to unlock the device. This option locks out the OS start up and auto-resume from suspend or hibernate until the user enters the correct PIN.
    Use Password if TPM Not present

    Select the check box to use a password as a fallback to decrypt the device if the TPM is unavailable.

    If this settings is not enabled, any devices without a TPM do not encrypt.

    Suspend BitLocker until TPM is initialized Select this option to postpone encryption on the device until TPM is initialized on the machine. Use this option for enrollments that require encryption before TPM initializes such as OOBE.
    Minimum Password Length

    Select the minimum number of characters a password must be.

    Displays if the Authentication Mode is set to Password or if Use Password if TPM Not Available is enabled.

    Create Static BitLocker Password

    Select the check box if a static recovery key is enabled.

    BitLocker Recovery Password

    Select the Generate icon () to generate a new recovery key.

    Rotation Period Enter the number of days until the recovery key rotates.
    Grace Period Enter the number of days after rotation that the previous recovery key still works.
    Enable BitLocker Suspend Select the check box to enable BitLocker Suspension. This functionality suspends BitLocker encryption during a specified time period. Use this feature to suspend BitLocker when updates are scheduled so devices can reboot without requiring end users to enter the Encryption PIN or password.
    Suspend BitLocker Type

    Select the type of suspension.

    • Schedule — Select to enter the specific time period that BitLocker suspends. Then set the schedule repeat to daily or weekly.
    • Custom — Select to enter the day and time to begin and end BitLocker suspension.
    BitLocker Suspend Start Time Enter the time to start BitLocker suspension.
    BitLocker Suspend End Time Enter the time to end BitLocker suspension.
    Scheduled Repeat Type Set whether the scheduled suspension repeats daily or weekly. If you select weekly, select the days of the week to repeat the schedule.
  6. Select Save & Publish when you are finished to push the profile to devices.