ToolBox Guide to
Managing encryption on Windows 10 devices in the new mobile-cloud era should be simple and effortless. AirWatch 9.1 gives us a slew of features for advanced BitLocker management on your Windows 10 devices that makes it easy and flexible. I’ll highlight some of the new features introduced in 9.1 and then do a walk-through of how to set it up.
(taken from official AirWatch post)
Now, let's get to creating your profile in the AirWatch console.
First, login to your AirWatch admin console
On the left hand pane, click on Devices --> Profiles & Resources --> Profiles --> Add --> Add Profile
Then Windows--> Windows Desktop
Then select Device Profile
In the Profile screen fill out the first section -- "General"
Name - Name it something appropriate, such as "Win10 - BitLocker"
Description - Optional, but a good idea to type a bit of a description on what this profile is going to do.
Deployment - "Managed"
Assignment Type - "Auto"
Allow Removal - Recommend you set this to "Never"
Managed by - You should be able to leave this default, but be sure you are at the right org level here
Assignment Groups - Add the appropriate group here. If you haven't created a Smart Group yet you can do so here. Just click in the box and select "Create Assignment Group" at the bottom. In my case I've created a smart group for all Windows 10 Clients
Exclusions - You can add exclusions here if you want
Additional Assignment Criteria - Leave default
Removal Date - Recommend you don't enable this
You can see mine here:
Once you have configured your "General" page, click down to the "Encryption" section on the left.
Then click "configure".
Here there are numerous different options you can set. I'll walk through each one although many are self explanatory.
Encrypted Volume - Select "Complete Hard Disk" or "System Partition". System Partition means just the OS partition, so it won't encrypt any other disk or partitions. Recommend you set this to "Complete Hard Disk".
Only Encrypt Used Space During Initial Encryption - This will speed up the initial encryption process and not hit the disk as long. Recommend you turn this on.
Custom URL for Recovery Screen - This is where you put your unique URL that will direct users to go to on the blue BitLocker recovery screen. I recommend you set this to your organization's Airwatch self service portal.
Section 2 - BitLocker Authentication Settings
Authentication Mode - TPM or Password (aka PIN). TPM is definitely the way to go here.
Enforce Encryption Pin on Login - Check this box if you want to add a PIN in addition to TPM. This is not really necessary in my opinion, but it does give you the option if your organization requires it.
Use Password if TPM not Present - As mentioned in the beginning of the article, this really helps ensure that every system is encrypted even ones that don't have a TPM chip either because they didn't ship with one, it hasn't been properly enabled, or there are country specific laws preventing TPM chips altogether. Recommend you turn this on otherwise Bitlocker will fail if TPM isn't there and activated.
Minimum Password length - Self explanatory. Minimum 8 characters.
Section 3 - BitLocker Static Recovery Key Settings
Create Static BitLocker Recovery Key - This is also a new feature with 9.1 where it will add a secondary admin recovery key that is synchronized across your devices for easier recovery. This still keeps the unique key that is set, but it just adds a second one.
You can also set the rotation period and grace period here too.
Section 4 - BitLocker Suspend
Enable BitLocker Suspend - If you check this box, it will automatically suspend BitLocker during scheduled maintenance or patching periods so that the system won't automatically go into recovery mode such as updating the BIOS. Most of the time, this would probably be used on Kiosk or desktop systems where you have very predictable maintenance periods and where there is a risk of BitLocker going into recovery mode.
Recommend you leave this off unless you have a specific use case. You can always turn on for a time, and then turn off once you are done updating your systems.
Once you are complete and ready to deploy click "Save & Publish". The next screen will show you all the devices it will go to based on your Smart Group.
If it looks good, click "Publish" to send out to your devices.
Once you have deployed this out to your devices, obtaining the recovery key is very easy. Simply search for and find the device either by user or device name.
On the summary page, click on "View Recovery Key". That's it!
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.