Configure BitLocker settings in the Library

Microsoft BitLocker allows you to encrypt one or more drives associated with your managed Microsoft Windows device. It prevents data from being exposed to unauthorized users by encrypting each individual drive, as applicable. You can create and manage MS BitLocker configurations can be created and managed in KACE Cloud Library. From there, you can apply each configuration to one or more specific MS Windows devices, or use policies to associate BitLocker configurations with specific Windows devices.

To configure BitLocker settings:

1. Select the Libraries tab in top navigation.
2. Click Security.
3. Complete one of the following steps:
   • To create a new BitLocker configuration, choose Add New > BitLocker.
   • To edit an existing BitLocker configuration, select it in the list, and in the right panel, click Edit.
4. In the BitLocker Configuration view that appears in the right panel, provide the following information:

   Option	Description
   Name	Specify the name of this BitLocker configuration.
   Hide Warning About Third Party Encryption	By default, BitLocker warns users about existing third party encryption. Data loss can occur if BitLocker is enabled on a system with existing third party encryption and Windows might need to be reinstalled. If BitLocker must be installed silently then the third-party encryption warning must be hidden as any related prompts break silent enablement workflows. Select this option if you want to hide these warnings.
   Allow Standard Users To Enable BitLocker	When silently joining MS Azure Active Directory, standard users can be allowed to enable BitLocker. By default, an administrator account is required and for non-silent Azure domain joins, an administrator account is always required. Select this option if you want to allow non-administrative users to enable BitLocker on their devices.
   Recovery Data Rotation	Select if you want to manage the rotation of recovery keys, and choose one of the available options: Disabled: Prevents the rotation of recovery keys. Azure AD joined devices only: Allows only Azure AD joined devices to rotate the recovery key. Azure and hybrid domain joined devices: Allows the rotation of recovery keys for both Azure and hybrid domain joined devices.
   Configure Startup Authentication	Select if you want to configure the BitLocker startup authentication. This option is mandatory only for managing the devices without a trusted platform module (TPM). Specify one or more of the options, as applicable: Use Compatible TPM On Startup: Allows a compatible trusted platform module (TPM) on startup. Setting to Required only enables BitLocker if a compatible TPM is available. Microsoft recommends using a TPM with BitLocker. Alternatively, set it to Optional or Blocked, as applicable. Use Compatible TPM Startup PIN: Allows a PIN to be used with a compatible trusted platform module (TPM) on startup. Setting to Required only enable BitLocker if a compatible TPM is available. Alternatively, set it to Optional or Blocked, as applicable. For silent installs, disable this setting because it requires user input. Use Compatible TPM Startup Key: Allows a key such as a USB drive to be used with a compatible trusted platform module (TPM) on startup. Setting to Required only enable BitLocker if a compatible TPM is available. Alternatively, set it to Optional or Blocked, as applicable. For silent installs, disable this setting because it requires user input. Use Compatible TPM PIN And Startup Key: Allows both a a PIN and a key such as a USB drive to be used with a compatible trusted platform module (TPM) on startup. Setting to Required only enable BitLocker if a compatible TPM is available. Alternatively, set it to Optional or Blocked, as applicable. For silent installs, disable this setting because it requires user input. Allow Non Compatible TPM: Allows devices with a non-compatible TPM. If there is no TPM present, the device requires a password or USB drive for startup. Minimum Startup PIN Length: The minimum number of keys required for the startup PIN.
   Customize Preboot Recovery	Select if you want to add information to device users on where to find their recovery information. Specify the following options, as applicable: Preboot Recovery Screen Options: Select how you want to communicate recovery details: Default: Uses the standard method for communicating recovery information to the user, as configured. Empty: Does not provide any specific information. Custom recovery message: Allows a custom message to appear on the pre-boot recovery screen. Preboot Recovery Message: Specify the pre-boot recovery message. Custom recovery URL: Allows a custom URL to appear on the pre-boot recovery screen Preboot Recovery URL: Specify the pre-boot recovery URL.
   Configure Encryption For OS Drives	Select if you want to configure the encryption method and recovery options for the drive on which the operating system is installed. Specify the following options, as applicable: Encryption Method For OS Drives: Choose a desired encryption method from the list. Microsoft recommends the XTS-AES algorithm for OS drives. The 256-bit option may have a performance impact. If an encryption method is configured for OS drives, you must configure it for fixed and removable drives as well. Configure Recovery For OS Drives: Configure recovery information for OS drives. Enable DRA For OS Drives: Allows Active Directory Domain Services data recovery agents (DRA) to recover BitLocker enabled drives. OS Drive Recovery Password Creation: Indicates if and how you want to allow a device user to create a recovery password for OS drives. OS Drive Recovery Key Creation: Indicates if and how you want to allow a device user to create a recovery key for OS drives. OS Drive Recovery Backup Package: Specify what information you want to include in the recovery backup package: Password and recovery key, or Password only Backup Recovery Information: Allows recovery information for OS drives to be backed up to Active Directory Domain Services. This is required for BitLocker recovery key rotation. Hide Recovery Options For OS Drives During Setup: Prevents the user from accessing extra recovery options for OS drives during BitLocker setup. Require Recovery Backup Before Enabling BitLocker: Prevents BitLocker from being enabled on an OS drive until the OS drive recovery information is successfully backed up to Active Directory Domain Services. This is required for BitLocker recovery key rotation.
   Configure Encryption For Fixed Drives	Select if you want to configure the encryption method and recovery options for fixed drives. Specify the following options, as applicable: Encryption Method For Fixed Drives: Choose a desired encryption method from the list. Microsoft recommends the XTS-AES algorithm for fixed drives. The 256-bit option may have a performance impact. If an encryption method is configured for fixed drives, you must configure it for OS and removable drives as well. Block Write Access To Fixed Drives Not Using BitLocker: Select this option, if applicable. Configure Recovery For Fixed Drives: Configure recovery information for fixed drives. These options are identical to the ones available for OS drives. See Configure Recovery For OS Drives.
   Configure Encryption For Removable Drives	Select if you want to configure the encryption method and recovery options for removable drives. Specify the following options, as applicable: Encryption Method For Removable Drives: Choose a desired encryption method from the list. Microsoft recommends the AES-CBC 128-bit or AES-CBC 256-bit encryption for removable drives. If an encryption method is configured for removable drives, you must configure it for OS and removable drives as well. Block Write Access To Fixed Drives Not Using BitLocker: Select this option, if applicable. Block Write Access To BitLocker Encrypted Removable Drives From Other Organizations: Select this option, if applicable.

5. In the BitLocker Configuration view, click Save.