Windows Bitlocker

Introduction

With Relution, Bitlocker encryption can be configured in a policy for Windows devices. Details about BitLocker and its functionalities can be found in the Microsoft documentation.

Configuration

Three different configuration sections are available within the configuration.

  • OS drive
  • Installed hard disks
  • Removable hard disks

The encryption type can be configured in each case. Depending on the data carrier type, you can choose between different recovery options.

OS data carrier

  • Restore options before starting:
    • Standard recovery message and URL before startup
    • Custom recovery URL before startup
    • Custom recovery message before startup

Installed hard disks

  • Recovery options:
    • Create recovery password
    • Create recovery key
    • Storage of the recovery key in AD Domain Services

The recovery key is also stored in Relution in the device information (from Server 5.21).

Devices Encryption Without User Interaction

BitLocker can be enabled on devices under certain conditions without requiring user interaction. This applies even to users without administrative privileges.

Requirements

Devices must meet the following conditions:

  • Version 1803 or higher for users with administrator privileges.
  • Version 1809 or higher for users with standard privileges.
  • Devices must be enrolled in Microsoft Entra or Microsoft Entra hybrid (e.g., via Autopilot) or activated through the Enable BitLocker action in Relution.
  • Minimum of TPM 1.2.
  • BIOS Setting: Native UEFI.

Microsoft Entra or Microsoft Entra Hybrid Enrolled Devices

For devices enrolled in Relution and also connected to Microsoft Entra (e.g., via Autopilot), BitLocker encryption can be automated. Simply configure the settings so encryption activates automatically once the configuration is applied.

Base Settings:

  • Device encryption required: Enabled.
  • Allow standard users to enable BitLocker encryption unattended: Enabled.

OS Drive Settings:

  • Encryption type: Full.
  • Authentication on startup required: Enabled.
  • TPM startup: Optional or required.
  • TPM startup PIN: Blocked.
  • TPM startup key: Blocked.
  • TPM startup PIN and startup key: Blocked.
  • Configure recovery: Disabled (or configure it using the options below).
    • If recovery is enabled, additional requirements include:
      • Generate recovery password: Allowed or required.
      • Generate recovery key: Allowed or required.
      • Hide recovery screen during BitLocker setup: Enabled.

Other configuration options may be adjusted as needed, but unsupported settings could lead to activation issues.

Activate BitLocker via Action

For devices not enrolled in Microsoft Entra or Microsoft Entra hybrid, the BitLocker encryption can be started using the Enable BitLocker action in Relution. This applies to standard users as well.

It is advised to apply a BitLocker configuration beforehand to define the encryption method or other parameters. This step is not mandatory for automatic activation but ensures consistent compliance and settings.

Known Issues

Error message:
BitLocker configuration violated. Messages: - BitLocker policy requires TPM protection to protect the operating system volume, but a TPM is not used.

Solution:
In the Bitlocker configuration, enable the following:

  • Authentication at startup required: On
  • Trusted Platform Module (TPM) on incompatible devices: On
  • TPM start-up Required
  • TPM start-up PIN Blocked
  • TPM start-up key Blocked
  • TPM start-up PIN and key Blocked