Secure your organization data on Windows Desktop devices with the Encryption profile. The Encryption profile sets the native BitLocker encryption policy on your Windows Desktop devices to ensure data remains secure.

BitLocker encryption is only available on Windows 8 Enterprise and Pro and Windows 10 Enterprise, Education, and Pro devices.

Because laptops and tablets are mobile devices by design, they risk your organization data being lost or stolen. By enforcing an encryption policy through Workspace ONE UEM, you can protect data on the hard drive. BitLocker is the native Windows encryption and Dell Data Protection | Encryption is a third-party encryption solution from Dell. With the Encryption profile enabled, Workspace ONE Intelligent Hub continually checks the encryption status of the device. If Workspace ONE Intelligent Hub finds that the device is not encrypted, it automatically encrypts the device.

If you decide to encrypt with BitLocker, a recovery key created during encryption is stored in the Workspace ONE UEM console and in the Self-Service Portal.

The Encryption profile requires Workspace ONE Intelligent Hub to be installed on the device.

Note: The Encryption profile does not configure or enable Dell Data Protection | Encryption. The status of the encryption is reported to the Workspace ONE UEM console and Self-Service Portal, but the encryption must be configured manually on the device.
Caution: Windows 10 does not support devices without a pre-boot onscreen keyboard. Without a keyboard, you cannot enter the start up pin necessary to unlock the hard drive and start Windows on the device. Pushing this profile to devices without a pre-boot onscreen keyboard breaks your device.

BitLocker Functionality

The Encryption profile uses advanced BitLocker functionality to control authentication and deployment of BitLocker encryption.

BitLocker uses the Trusted Platform Module (TPM) on devices to store the recovery password on the device to decrypt hard drives connected to the motherboard. If the drive is removed from the motherboard, the drive does not decrypt. For enhanced authentication, you can enable an encryption PIN to confirm user authentication. You can also require a password for devices as a fallback for when the TPM is not available.

Deployment Behavior

The Windows-native BitLocker encryption secures data on Windows Desktop devices. Deploying the encryption profile requires more actions from the end user.

If the Encryption profile is pushed to an encrypted device and the current encryption settings match the profile settings, Workspace ONE Intelligent Hub adds a new recovery key and sends it to the Workspace ONE UEM console. This new recovery key is also stored in an encrypted database on the device. With this feature, if a user or an admin attempts to decrypt the device, the Encryption profile re-encrypts the device with the new recovery key. The encryption is enforced even if the device is offline.

If the existing encryption does not meet the authentication settings of the Encryption profile, the existing protectors are removed and new protectors are applied that meet the Encryption profile settings.

If the existing encryption method does not match the Encryption profile, Workspace ONE UEM leaves the existing method in place and does not override it. This functionality also applies if you add a new version of the Encryption profile to a device managed by an existing Encryption profile. The existing encryption method is not changed.

Encryption Status

If BitLocker is enabled and in use, you can see status reports about the encryption status in the following areas:

  • Workspace ONE UEM Dashboard
    • Device Details displays recovery key information.
    • BitLocker protection displays as enabled.
  • Workspace ONE UEM Self-Service Portal
    • Self-Service Portal displays that the recovery key is stored, but not the recovery key details.
    • BitLocker protection displays as enabled.

Removal Behavior

If the profile is removed from the Workspace ONE UEM console, Workspace ONE UEM no longer enforces the encryption and the device automatically decrypts. Enterprise wiping or manually uninstalling Workspace ONE Intelligent Hub from the Control Panel disables BitLocker encryption.

When you create the Encryption profile, you can choose to enable the Keep System Encrypted at All Times option. This setting ensures that the device remains encrypted even if the profile is removed, the device is wiped, or communication with Workspace ONE UEM ends.

If the end user decides to unenroll during the BitLocker encryption process, the encryption process continues unless it is turned off manually from the Control Panel.