![bitlocker on the go hardware encryption bitlocker on the go hardware encryption](https://www.polyu.edu.hk/its/images/Newsletter/2018/Feb18/bitlocker_screen2.jpg)
- #Bitlocker on the go hardware encryption upgrade
- #Bitlocker on the go hardware encryption windows 10
Windows 10 version 1703-1803 do not support Windows 10 Pro, only Enterprise.
#Bitlocker on the go hardware encryption upgrade
The version you upgrade to may also be important if you don’t have Windows 10 Enterprise. The BitLocker CSP isn’t available in Windows 10 prior to version 1703, so you should upgrade devices to the latest feature version. In addition to the configuration detailed above, we’ll conclude with notes on important prerequisites and advice for making your rollout successful. Important Notes about Intune BitLocker Deployment You can now assign this device configuration profile only to device groups that you want to enforce the policy on. So this policy is not foolproof against a dedicated adversary, but a good first-line-of-defence against accidental noncompliance. Your “organisation” is determined by the IdentificationField, which is ultimately is a string held in the registry. From here, choose to Create profile of template Endpoint protection.īy choosing to block for both settings, you ensure that drives are mounted in read-only mode until encrypted, which users will be prompted to do, and also limit write access to encryption delivered by your environment’s devices, rather than BitLocker encrypted by other environments or on BYOD devices. Therefore, we want to have different rules for different devices, and do this with configuration profiles found in Devices > Windows > Configuration profiles. For example, if the IT department regularly provisions USB boot devices for OS deployment, you shouldn’t force all of those to be encrypted, nor may you want to enforce encryption on departments that will send devices to customers. While enforcing removable storage devices to be encrypted is generally regarded as a wise move to improve things such as data loss prevention, many environments should not deploy it universally to all devices. Device configuration profile – configuration settings The remaining two settings to block write access if configured as endpoint security profile can lead to conflicts if you want different rules for different devices, so are best controlled using device configuration profiles. The only setting it’s recommended be configured here is setting the encryption method to AES-256-XTS.
![bitlocker on the go hardware encryption bitlocker on the go hardware encryption](https://www.isumsoft.com/images/windows-10/unlock-bitlocker-encrypted-drive-in-windows-10/bitlocker-drive-encryption.png)
Operating system drives are controlled by OS drive settings and recommended settings, below, are mostly the same as fixed data-drives, but with settings for startup and keys too. 256-bit key sizes and different ciphers is beyond the scope of this article, but AES-256-XTS is generally agreed to offer the best balance of strong encryption for regulatory compliance along with ease of use in Windows 10 environments. Block write access to fixed data-drives not protected by BitLocker is recommended as it prevents saving data on unencrypted drives, and may be important for compliance reasons.įinally, it’s recommended that AES-256-XTS is used as the encryption method. By specifying require device to backup recovery information to Azure AD, you introduce a safeguard whereby the encryption will not take place if a recovery key cannot be created. Recovery key file creation, configure BitLocker recovery package, and hide recovery options during BitLocker setup are configured as prerequisites for silent encryption. Here’s the reasoning behind some of the less intuitive settings.