Enabling BitLocker Encryption to Remote Windows 10 Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 2105 and later

Overview

Introduction

This tutorial helps you to configure remote encryption for Windows 10 devices with VMware Workspace ONE® UEM (unified endpoint management).

In these exercises, we will configure a BitLocker Encryption profile and verify that the profile has been applied to devices.

We will also explore Workspace ONE UEM device compliance and remediation actions; and creating reports, dashboards, and automated action with VMware Workspace ONE® Intelligence. 

The steps are sequential and build upon one another. Ensure that you complete the steps in order.

What Is BitLocker Encryption

Consumer Simple Encryption

When it comes to BitLocker encryption for Windows 10 devices, the security by design approach provides the best user experience. Security by design implements device encryption in a way that feels like a non-disruptive, natural part of the device experience.

Enterprise Secure Devices

Create a BitLocker encryption profile to keep Windows 10 device data enterprise secure. After the profile is configured, Workspace ONE Intelligent Hub automatically enforces encryption settings as part of the device’s general security posture. Use the Workspace ONE UEM compliance engine to ensure devices remain compliant.

For more information, see Microsoft Docs: BitLocker Overview.

Solving Current Device-Encryption Challenges

Two security principles that are top of mind when dealing with device encryption are least privilege and separation of duties.

Workspace ONE UEM leverages role-based access controls (RBAC) for admins, allowing you to grant access to view recovery keys only to the admins who require access. 

In addition to RBAC, Workspace ONE UEM logs each action of viewing a recovery key by each admin to the console event logs, which can also be sent to your preferred Syslog provider. This allows for InfoSec to audit admin access to recovery keys to prevent rogue admins from capturing all recovery keys, for example.

Workspace ONE UEM BitLocker encryption also helps in the following ways:

Current Device Encryption Challenges Workspace ONE UEM BitLocker Encryption
Additional license costs with third-party tools Eliminate third-party license cost
Another third-party agent for encryption Single agent for all advanced management capabilities
Inability to enforce encryption locally on the device Local enforcement for off-network & off-domain devices
No separation of duties for admins Granular, role-based access controls
Complex management via GPOs/scripts Simple profile with comprehensive controls
Recovery key management Auto escrowing of recovery keys
High help desk costs for end-user recovery Self-service portal key retrieval

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Workspace ONE UEM Documentation and VMware Docs: Encryption Profile (Windows Desktop)

Workspace ONE Requirements

Ensure that you have the following Workspace ONE components installed and configured:

  • A Workspace ONE UEM tenant with admin access to:
    • Enroll a Windows 10 device into the Workspace ONE UEM environment.
    • Configure and deploy a BitLocker policy.
    • Workspace ONE self-service portal URL for retrieval of the recovery keys.
  • Workspace ONE Intelligence with admin access to:
    • Configure reports, dashboards, and automations.  

For more details about BitLocker profiles, see VMware Docs: Windows Desktop Encryption Profile.

Windows 10 Device Requirements

On the Windows 10 device, check that you have the following components installed and configured:

  • Windows Pro, Enterprise, or Education device - enrolled in Workspace ONE UEM. 
  • Disk with Two partition minimum.
  • 350 MB boot partition with the appropriate format:
    • NTFS Mode — Use if booting in legacy BIOS mode.
    • FAT32 Mode — Use if booting in UEFI mode.
  • TPM version 1.2 or later.
    • Workspace ONE can provide encryption for devices without TPM. The best practice is to use devices with TPM.
  • Meet Windows system requirements for BitLocker.

For additional assistance and information, see:

Enabling BitLocker Encryption with Workspace ONE UEM

Configuring BitLocker Encryption in Workspace ONE UEM

Profiles allow you to modify how the enrolled devices behave. This section helps you configure and deploy BitLocker encryption using a profile, and verify that the profile has been applied to the device.

Configuring BitLocker Encryption in Workspace ONE UEM consists of the following tasks:

  1. Add Windows 10 Device Profile.
  2. Configure Profile General Settings.
  3. Configure BitLocker Encryption Settings.
  4. Configure BitLocker Authentication Settings.
  5. Configure BitLocker Static Recovery Key Settings.
  6. Configure BitLocker Suspend.
  7. Assign and Review BitLocker Profile in Workspace ONE UEM.

1. Add Windows 10 Device Profile

Add Windows 10 device profile when configuring BitLocker for Windows 10.
  1. In the Workspace ONE UEM console, select Add.
  2. Select Profile.

2. Select the Windows Platform

Select the Windows Platform in Workspace ONE UEM admin console when configuring BitLocker encryption.
Select the Windows Desktop when configuring Windows 10 encryption in the Workspace ONE UEM console.
Select the device profile when configuring BitLocker for Windows 10.
  1. Select the Windows platform.
  2. For the Device Type, select Windows Desktop.
  3. Select the Context of the profile to Device.

3. Configure Profile General Settings

Define General Settings when configuring Windows 10 BitLocker.
  1. Select General if it is not already selected.
  2. Enter a profile name in the Name text box, for example, BitLocker Encryption.
  3. Click in the Assigned Groupstext box.
    • This will pop up the list of created Assignment Groups. Select the Assignment Group you want to deploy the profile to.
  4. Select the Encryption payload and click Configure.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

4. Configure BitLocker Encryption Settings

 Configure BitLocker Encryption Settings
  1. Select OS Drive and All Fixed Hard Drives from the Encrypted Volume drop-down menu.
    • Choosing this option encrypts the entire hard disk on the device, including the System Partition where the OS is installed and any additional drives.
  2. Leave Encryption Method set to System Default.
    • When you select another encryption method such as XTS AES 128 bit from the Encryption Method drop-down menu, another option will appear.
    • Use the option Default to the System Encryption Method as a fail-safe for devices that do not support the selected encryption method.
    • For example, selecting this setting ensures that Windows 10 1507 and below devices—which do not support XTS encryption—will still get encrypted.
  3. Enable Only Encrypt Used Space During Initial Encryption to reduce the time required for encryption.
    • Important: The drive’s unused space remains unencrypted, potentially placing confidential data at risk.
  4. Enter the Self-Service Portal URL, https://[Your Device Services Host Name]/MyDevicein the Custom URL for the Recovery text box.
    • This URL displays on the lock screen and directs end users to their recovery key.
    • Tip: URL shorteners and URL redirections can be used to help users to remember the URL.
    • For example https://staff.company.com/mydevice (redirecting to the Workspace ONE UEM Self-Service Portal URL).
  5. Select Enable BitLocker To Goto enable encryption on removable drives.

Warning:

The Force Encryption setting will force encryption on the device and immediately re-encrypt the device if BitLocker is manually turned off. Be cautious when enabling this setting as it may interfere with BitLocker Suspend functions.

Use the Keep system Encrypted at all times to retain encryption if the profile is removed, the device is wiped, removed from Azure AD, disconnected from Work/School account, deleted from the Workspace ONE UEM console, or the Intelligent Hub is uninstalled. This does not apply to Employee Owned devices.

This means encryption is always set on the device, even when un-enrolled. The device may boot into BitLocker recovery Mode and the BitLocker Recovery Key may need to be entered.

Use these settings in use cases that are purpose-fit for the encryption rules required by your organization.

5. Configure BitLocker Authentication Settings

 Configure BitLocker Authentication Settings for BitLocker encryption in the Workspace ONE admin console.
  1. Using the scroll bar on the right, scroll down to the BitLocker Authentication Settings section.
  2. Select TPM as the Authentication Mode to use the device’s Trusted Platform Module to authenticate.
  3. Select Require PIN at startup. 
    • This option locks out the OS start up and auto-resume from suspend or hibernate until the user enters the correct PIN.
  4. Specify the Pin Length to match organizational complexity requirements. For example, enter 4.
  5. Select Use Password if TPM Not Present to use a password as a fallback if TPM is unavailable.
    • If deselected, devices that do not have TPM do not encrypt.
  6. Configure Minimum Password Length to match organizational complexity requirements.
    • For example, enter 8. Settings apply to the Password Authentication Mode, and the setting Use Password if TPM Not Available.

6. Configure BitLocker Static Recovery Key Settings

Configure Bitlocker Recovery Key Static Settings in the Workspace ONE admin console.
  1. Using the scroll bar on the right, scroll down to the BitLocker Static Recovery Key Settings section.
  2. Select Create Static BitLocker Recovery Key to create a shared key for a group of devices. This simplifies key recovery for IT personnel who use the shared key to unlock devices.
  3. Click the arrow icon to generate a static recovery key.
  4. Enter 28 or any value greater than 0 into the Rotation Period text box to create a rotation schedule. Enter 0 to opt out of the rotation schedule.
  5. Enter 7 into the Grace Period text box to specify the number of days after rotation that the previous recovery key still works.

7. Configure BitLocker Suspend

Configure BitLocker Suspend for BitLocker recovery keys in the Workspace ONE UEM admin console.
  1. Using the scroll bar on the right, scroll down to the BitLocker Suspend section.
  2. Select Enable BitLocker Suspend.
    • This suspends BitLocker encryption during maintenance periods and allows devices to reboot without end-user interaction.
    • This setting is particularly important for kiosk or shared devices or updating device drivers or some windows updates.
  3. Select Schedule from the Suspend BitLocker Type drop-down menu. This suspends BitLocker during a specific time period that repeats daily or weekly.
  4. Enter the suspend start and end time.
    • BitLocker Suspend Start Time  Set to 11:00 PM
    • BitLocker Suspend End Time  Set to 6:00 AM
  5. Select Daily from the Scheduled Repeat Type drop-down menu.
  6. Click Save & Publish, review the devices assigned, and select Publish.

TIP: You can also Suspend BitLocker encryption manually on individual devices from the Device Details Screen in Workspace ONE UEM.

8. Review BitLocker Profile in Workspace ONE UEM

Review BitLocker for Windows 10 profile in the Workspace ONE UEM admin console.
  1. In the Workspace ONE UEM console, navigate to Resources then Profiles and Baselines, then Profiles.
  2. Search for the BitLocker Encryption Profile. The BitLocker Encryption Profile now appears in the Device Profiles list view.

Verifying BitLocker Encryption Settings

Now that you have configured and deployed BitLocker encryption using a profile, you verify that the profile has applied to the device.

Confirming BitLocker Encryption consists of the following tasks:

  1. Verify Encryption Status in the Workspace ONE UEM Console.
  2. Confirm Encryption in Windows 10 Device Settings.
  3. Confirm Encryption in Elevated Command Prompt (Optional).

On your Windows 10 device, follow the steps to confirm that the encryption settings have applied.

1. Verify Encryption Status in the Workspace ONE UEM Console

There are a few different locations in the Workspace ONE UEM console where you can view the device's encryption details. Let's explore these.

Important:

The Workspace ONE UEM console displays device encryption details specific to BitLocker and not any third-party anti-virus encryption (for example, McAfee).

For details on how to get third-party anti-virus encryption details, we recommend using Workspace ONE Sensors.

1.1. Navigate to Device Details Tab

Encryption Status for Windows 10 BitLocker inWorkspace ONE UEM Device Details Tab.

Select a device in the Workspace ONE UEM console and ensure that you are in the Devices Details view.

  1. Navigate to the device Summary tab.
  2. Review BitLocker Status details in the Security section.

1.2. Navigate to Device Security Tab

Check Windows 10 BitLocker Encryption Status in Workspace ONE UEM Device Security Tab.
  1. Navigate to the Security tab. Select it from the drop-down list if necessary.
  2. Review BitLocker Encryption details and statuses.

2. Confirm BitLocker Encryption in Windows 10 Device Settings

Encryption can also be confirmed on the device itself. The following steps detail how to confirm BitLocker encryption on the device.

2.1. Open BitLocker

Confirm BitLocker encryption status in the BitLocker app.
  1. In the Windows search bar, enter BitLocker.  
  2. Select Manage BitLocker.

2.2. Verify that BitLocker Encryption is Enabled

 Verify Bitlocker Encryption is Enabled.
  1. Confirm that BitLocker Encryption is on or is still currently encrypting.

3. Confirm Encryption in Elevated Command Prompt (Optional)

 Confirm Encryption in Elevated Command Prompt (Optional).
  1. In the Windows Search bar, enter Command Prompt.
  2. Select Run As Administrator.
 Confirm BitLocker Encryption in Elevated Command Prompt (Optional)
  1. For a more detailed view, launch an elevated command prompt and enter manage-bde -status.
  2. Review the Encryption details of each hard drive.
  3. Review the properties of each status. For example Encryption Method and Percentage Encrypted.

BitLocker Encryption Policy for Multiple Hard Drives

When you are working with a BitLocker encryption policy for multiple hard drives, the encryption method must be the same for all hard drives.

For example:

✅ Supported ❌ NOT Supported

 ✅ C: Drive using XTS 256 bit &

✅ D: Drive using XTS 256 bit

 ❌ C: Drive using XTS 128 bit &

❌ D: Drive using XTS 256 bit

After you have completed Confirming Encryption in Windows 10 Device Settings, perform the following:

Note: BitLocker authentication policies and suspension policies apply to the device, not for each individual drive. 

If you set the TPM for BitLocker authentication, it will be used for all encrypted drives.

1. Review BitLocker Policy

Review BitLocker Encryption Policy in Workspace ONE UEM.
  1. Review the BitLocker policy and ensure the Encrypted Volume is set to OS Drive and All Fixed Hard drives.

2. Review Multiple Hard Drives

Review Windows 10 BitLocker Encryption Status in the Workspace ONE UEM Device Security Tab.
  1. Navigate to the Security tab, you might need to select it from the drop-down list.
  2. Review BitLocker Encryption details and statuses for all hard drives.
Review BitLocker recovery keys in the Workspace ONE UEM console.
  1. Toggle between the drive letters to see the Recovery keys. In this example, we have two additional fixed drives.
  2. Review the Personal Recovery Key and the Static Recovery Key.

Note: The Static Recovery Key will remain the same for all encrypted drives.

Enabling BitLocker Encryption for Removable Storage (BitLocker To Go)

1. What is BitLocker To Go?

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:

  • USB flash drives
  • SD cards
  • External hard disk drives
  • Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.

When Bitlocker To Go is enabled, the Workspace ONE Intelligent Hub will prompt the user to enter in an 8 character minimum password/PIN number to encrypt the removable drive. The removable drive encrypts using AES-128 bit cipher.

2. How to Enable BitLocker To Go Encryption Settings

 Configure BitLocker Encryption Settings
  1. When configuring a BitLocker profile, ensure to select Enable BitLocker To Go to enable encryption on removable drives.

3. Set Up a BitLocker To Go PIN

When a removable drive is inserted, the Workspace ONE Intelligent Hub detects the removable drive, then:

  • The Workspace ONE Intelligent Hub suppresses the Microsoft Wizard for BitLocker to Go
  • The Workspace ONE Intelligent Hub will launch the password capture screen
  • Screen validates password meets 8 character criteria and inputs match
  • The Workspace ONE Intelligent Hub begins the encryption process on Removable Storage Device (BitLocker to Go)

Encryption progress on the local device can be viewed under BitLocker in Windows Control Panel or from Command Prompt by entering the command manage-bde.

 Setting up a Pin
  1. Enter an 8 character minimum password/PIN number to encrypt the removable drive.
  2. Click Save.

4. Unlock Removable Storage Devices (BitLocker to Go) - Notification Prompt

 Unlocking BitLocker to Go Devices

When the Removable Storage Device is inserted into the Operating system, the user will be prompted to enter in the 8 character minimum password/PIN number

  1. This can be done by clicking on the pop-up notification once the drive is inserted.
  2. The user can then enter in the password or select More options.
  3. Selecting More options allows users to Enter in a Recovery Key (Obtained from Workspace ONE UEM via help desk) or select "Automatically unlock on this PC" so they don't always have to enter in the password every time they insert the drive.
  4. If the user selects Enter in a Recovery Key, the user will be prompted to enter in the 48 digit recovery key after obtaining it from the help desk.

5. Unlock Removable Storage Devices (BitLocker to Go) - File Explorer

 Unlocking BitLocker to Go Devices

Users can also unlock the Removable Storage Device by opening up File Explorer.

  1. Ensure you are on This PC.
  2. When encrypted, the USB device will show with a padlock. Double-click the USB drive to enter in the password and unlock.

6. View Removable Removable Storage (BitLocker to Go) in Workspace ONE UEM

 Viewing removable encrypted drives in Workspace ONE UEM.

In the Workspace ONE UEM Console

  1. Navigate to Devices.
  2. Select Peripherals.
  3. Select List view.
  4. Click Removable Storage.

7. Access Recovery Keys for Removable Storage (BitLocker to Go)

You can review all removable drives information fields such as:

  • Device Name
  • Recovery ID
  • Username
  • Capacity
  • Date Encrypted
  • Recovery Key
 Access Recovery Keys for BitLocker to Go
  1. If the user has forgotten their password and needs to enter in the Recovery Key, the first 8 digits of the recovery ID will be shown to them. The full recovery ID will be shown in the Workspace ONE UEM console.
  2. Select View to view the recovery key.

7.1. View Recovery Keys for Removable Storage (BitLocker to Go)

 Access Recovery Keys for BitLocker to Go

Select copy to copy the recovery Key to pass on to the end user.

8. Enter Recovery Keys for Removable Storage (BitLocker to Go)

 Access Recovery Keys for BitLocker to Go

The user will be prompted to enter in the 48 digit recovery key.

BitLocker Suspend and Resume

Suppose you need to install new software that BitLocker might otherwise block. In that case, you can suspend BitLocker, then resume BitLocker protection on the drive again when you have completed the action during the suspension times.

Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, the suspension makes the key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

While suspended, BitLocker does not validate system integrity at start-up. You might suspend BitLocker protection for firmware upgrades or system updates.

For more information, see Microsoft Docs: BitLocker Suspend.

1. Suspend and Resume BitLocker by Policy

 Suspend and Resume BitLocker by Policy

You can configure BitLocker encryption to temporarily Suspend and Resume during a specific time, repeating daily or weekly.

For configuration options, review Configure BitLocker Suspend and Resume.

2. Suspend and Resume Bitlocker by Individual device.

You can also temporarily Suspend and Resume for a specific device, specifying the number of reboots before BitLocker is Resumed.

2.1. Select the Device

 Suspend and Resume Bitlocker by Individual device.
  1. In the Workspace ONE UEM console, navigate to Devices.
  2. Select List View.
  3. Select the device on which you want to individually suspend BitLocker Encryption.

2.2. Suspend BitLocker from Device Details More Actions

 Suspend and Resume Bitlocker by Individual device.
  1. Click More Actions.
  2. Select Suspend BitLocker.

2.3. Suspend BitLocker Encryption

 Suspend BitLocker Encryption
  1. Select the number of reboots until BitLocker resumes.
  2. Enter the reason for BitLocker Suspension.
  3. Click Save.

2.4. Review BitLocker Suspension

Review BitLocker Suspension

Review the BitLocker Status for the device. This will also display how many reboots are remaining until BitLocker resumes.

2.5. Resume BitLocker from Device Details More Actions

While BitLocker is in a suspended state, admins can resume BitLocker encryption directly from the Workspace ONE UEM console.

 Resume BitLocker
  1. Click More Actions
  2. Select Resume BitLocker

BitLocker Device Recovery Keys

Important: Ensure that you read What causes BitLocker recovery in the Microsoft Docs: BitLocker recovery guide. Having a Recovery Key process plan is critical for users to get back into their Windows devices.

Understanding Device Recovery Keys

BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. 

Workspace ONE UEM leverages role-based access controls (RBAC) for admins, allowing you to grant access to view recovery keys only to the admins who require access.

End-Users can log into the self-service portal for BitLocker Recovery Key Retrieval. Role-based access controls (RBAC) are available for the self-service portal controls to turn this feature off.

There are many different scenarios where a machine might prompt a user for the recovery key on reboot. These are well documented in the Microsoft Docs: BitLocker recovery guide.

Review BitLocker recovery keys for multiple hard drives in the Workspace ONE UEM Console.
  1. Toggle between the drive letters to see the Recovery keys. In this example, we have additional fixed drives.
  2. Review the Personal Recovery Key and the Static Recovery Key.

1. Access Device Recovery Key in the Self-Service Portal

 Accessing BitLocker Recovery Keys in the Self service portal.
  1. Navigate to the self-service portal URL and log in.
    • For example, your self-service URL will be  https://[Your Device Services Host Name]/MyDevice
  2. Click Go To Details.
 Accessing BitLocker Recovery Keys in the Self service portal.
  1. Expand the More tab.
  2. Select Security.
 Accessing Recovery Key in the Self service portal
  1. Navigate to Encryption to find the recovery key.

2. Enter the Device Recovery Key at Boot Up

 Entering the BitLocker Recovery Key at the Windows prompt.
  1. Enter the BitLocker recovery key.
  2. In the policy, we set up a self-service URL; the Self Service URL appears here.

As a test, you can force a drive into recovery. Open Windows PowerShell as an administrator and enter the following command:

Replace "C:" with the drive letter.

manage-bde C: –forcerecovery

3. Access Recovery Keys for Removable Storage (BitLocker To Go)

Removable Storage devices are distinct from Windows PCs. Removable storage device keys must be accessible even if devices or users are no longer in the Workspace ONE UEM console.

You can find the Recovery Keys and list of Removable Storage Devices in Workspace ONE UEM under 

  • Devices > Peripherals and 
  • Accounts > Users > Removable Storage  

3.1. Recovery Keys for Removable Storage Device by User

 Recovery Keys for Removable Storage Device by User

In the Workspace ONE UEM console:

  1. Navigate to Accounts.
  2. Select Users and Select a User.
  3. After a User is Selected, click the Removable Storage tab.

3.2. View All Removable Storage Devices

 Viewing removable encrypted drives in Workspace ONE UEM.

In the Workspace ONE UEM console:

  1. Navigate to Devices.
  2. Select Peripherals.
  3. Select List view.
  4. Click Removable Storage.

Configuring Compliance Policy for Device Encryption

Configuring Device Compliance for BitLocker Encryption

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by your policies. These policies can include basic security settings such as device encryption status. The Workspace ONE compliance engine detects whether or not encryption is enabled on the device. Windows supports all third-party encryption solutions, therefore Workspace ONE can set a compliance policy around encryption, even if the device has been encrypted using a third-party encryption tool.

When devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.

You can automate escalations when corrections are not made, for example, locking down the device, marking the device as noncompliant to trigger Zero-Trust access policies with Workspace ONE Access, and notifying the user of any remediation steps. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Workspace ONE UEM console.

For more information on Workspace ONE compliance policies, see VMware Docs: Compliance Policies.

1. Add Compliance Policy

Add Compliance Policy in Workspace ONE UEM for Windows 10 BitLocker.
  1. In the Workspace ONE UEM console, select Add.
  2. Select Compliance Policy.

2. Select the Windows Platform

Select the Windows platform in Workspace ONE UEM for BitLocker encryption.
Select the Windows Desktop in Workspace ONE UEM when configuring Windows 10 BitLocker.
  1. Select the Windows platform.
  2. For the Device Type, select Windows Desktop.

3. Add Compliance Policy Rule

Add Compliance Policy Rule in Workspace ONE UEM when configuring BitLocker for Windows 10.
Add Compliance Policy Rule in Workspace ONE UEM when configuring Windows 10 BitLocker.
  1. Select the Rules tab.
  2. Select Encryption as the compliance flag.
  3. Change the Rule to Is.
  4. Select compliance value.
    • Drop-down values include Not Applied to System Drive, Not Applied to Some Drives or Suspended.
  5. For BitLocker Status of Not Applied to Some Drives or Suspended, the Workspace ONE Intelligent Hub 2101 or later is required.

4. Add Compliance Policy Action

Add Compliance Policy Action in Workspace ONE UEM when configuring BitLocker encryption.

Define the consequences of noncompliance within your policy by completing the Actions tab.

  1. Select the Actions tab.
  2. Select Command as an Action.
  3. Select Request Device Check In as the Command.
    • This ensures that the device has checked into the Workspace ONE UEM console with the latest information. You can re-evaluate the compliance Rule in the Compliance tab of the device details.
  4. Select Notify as an Action.
  5. Select Send Email to User.
    • This sends a compliance email to the end user with remediation actions they can take.
    • You can select the default template, or customize the compliance templates based on the compliance rule.
  6. Select Profile as an Action.
  7. Select from
    • Install Compliance Profile - Install a compliance profile.
    • Block Remove Profile - Block or remove a specific profile - For example, Certificates.
    • Block Remove ALL Profiles - Remove all Profiles from the device until the device is compliant.
  8. At any escalation step, you can mark the device as non-compliant. This will trigger any conditional access policies you may have set within Workspace ONE Access.
  9. Click Next.

Tip: The Mark as Not Compliant check box is enabled (selected) by default for each newly added Action.

Tip: If one action has the Mark as Not Compliant option enabled, then all subsequent actions and escalations are also marked as not compliant. These subsequent check boxes cannot be edited.

5. Assign the Compliance Policy

Assign the Compliance policy in Workspace ONE UEM for Windows 10 BitLocker.
  1. Ensure that you are on the Assignment tab.
  2. Select a Smart Group to apply the device compliance policy to.
  3. Click View Device Assignment to see the devices.

6. View Device Policy Assignment

View Device Policy Assignment in Workspace ONE UEM for Windows 10 BitLocker.
  1. Selecting View Device Assignment allows you to review the devices assigned to the compliance policy.

7. Activate the Compliance Policy

Activate the Compliance Policy in Workspace ONE UEM for Windows 10 encryption.
  1. Ensure that you are on the Summary tab.
  2. Enter a Name for the Compliance Policy.
    • For example, Encryption.
  3. Enter a description for the Compliance Policy.
    • For example, Encryption. You might also want to specify in the description how a similar Encryption Compliance Policy will differ.
  4. Review the Device Summary.
    • This displays how many devices in total have been assigned the Compliance Policy. This also displays how many devices are currently Compliant and how many are Non-Compliant.
    • Use this information before you activate compliance policies. If your remediation action might cause calls to the help desk, you can apply the compliance policy in stages - or maybe extend the Escalated Actions to 7 days instead of 1 day, for example.
  5. Click Finish and Activate.
    • This activates the policy and compliance actions are sent to the devices.

8. Review Compliance Policy

Review Compliance Policy for Windows 10 encryption in Workspace ONE UEM.

Navigate to Devices > Compliance Policies > List View.

  1. Ensure that the Encryption policy is active and review the Compliant status.

Automating Reports for Device Encryption

Creating Reports for Windows 10 Encryption

Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire end-user computing environment. 

In this exercise, you will use Workspace ONE Intelligence to generate a report displaying the Windows Device Encryption Details.

Before you begin, ensure that Workspace ONE Intelligence is set up and configured ready to generate the report.

For more information on this initial setup, see Getting Started with Workspace ONE Intelligence Reports and Dashboards: Workspace ONE Operational Tutorial.

1. Create Reports with Workspace ONE Intelligence

Create Workspace ONE Intelligence Reports for Windows 10 BitLocker.

Navigate to the Workspace ONE Intelligence console.

  1. Select the Reports tab.
  2. Click Add.

2. Add Report

Add Report in Workspace ONE Intelligence for BitLocker encryption.
  1. Select Custom Report and click Start.

3. Add Report Category

 Add Report Category in Workspace ONE Intelligence when configuring BitLocker for Windows 10.
  1. Under Category, select Workspace ONE UEM, then select Devices.

4. Configure Report Details

 Configure Report Details in Workspace ONE Intelligence for Windows 10 encryption.
  1. Enter a report name.
    • In this example, the report is called Windows Desktop Encryption Status.
  2. In the filters, select the following:
    • Enrollment Status - Equals - Enrolled.
    • This ensures that we are pulling in a report on currently enrolled devices.
  3. Click the plus icon + to add the following filters:
    • Platform - Includes - Windows Desktop
  4. Click Refresh Preview to see the latest data.
  5. Next, we will edit the fields displayed. Select the edit columns option.

5. Edit Workspace ONE Reports Columns

 Editing Workspace ONE Intelligence Reports Columns when using BitLocker for Windows 10.
  1. Use the Search function to search for columns to add to the report.
  2. Expand the column categories to see all available columns.
  3. Select the column that you want to add.
  4. Click Add to add the column. This will appear on the right.
  5. Use the Remove buttons to remove columns from the report.
  6. Use the up and down arrows to change the column order.
  7. When you are satisfied with the arrangement of your report data, click Save.

Tip: In this example report, we use the following columns:

  • Enrollment Date
  • Last Seen
  • Ownership
  • Compliance Status
  • Encryption Status
  • bitlocker_encryption_method
  • Friendly Name
  • Username
  • First Name
  • Last Name
  • Email
  • OS Version
  • Device Name
  • Serial Number
  • Device Organization Group Name
  • Model

6. Review Report Data

 Review Report Data in Workspace ONE Intelligence for Windows 10 BitLocker.
  1. Click Refresh Preview to see the preview of the current data.
  2. Review the report data and make any adjustments as necessary and ensure that you select Save.

Pro Tip: The field bitlocker_encryption_method comes from Workspace ONE Sensors. Ensure that Sensors are assigned to devices, so they can report back data.

7. Edit, Run, Schedule, or Download the Report

 Edit, Run, Schedule or download the Windows 10 Device Encryption report.

You have now configured a report with data displaying Windows 10 Device Encryption details.

  1. Select Edit to make any changes.
  2. Click Run to run the report.
  3. Select View to view report downloads.
  4. Select Add Schedule to automate data collection and collaboration.

Troubleshooting BitLocker

Troubleshooting BitLocker

This section covers general troubleshooting information for BitLocker encryption.

1. BitLocker Drive Preparation Tool

The Workspace ONE Intelligent Hub for Windows automatically runs the BitLocker drive preparation tool to ensure that the partition requirements are met. You can run this command manually to test if there are compatible partitions. From an elevated command prompt, enter the following command:
bdehdcfg.exe -driveinfo

To prepare the drive, run the following commands in an elevated command prompt:

  • bdehdcfg.exe -target c: shrink 
  • Bdehdcfg.exe -target c: merge
  • Bdehdcfg.exe -target default

Note: If you manually run these commands, we recommend adding the -skiphardwaretest switch so that the system does not require a reboot.

2. Use PowerShell Script to Convert FAT32 to NTFS System Partition

If you have upgraded your Windows 7 systems to Windows 10 and kept them in legacy BIOS mode, the system partition might still be FAT32. You must convert from FAT32 to NTFS for BitLocker to activate. 

Note: FAT32 system partition works on Unified Extensible Firmware Interface (UEFI) systems. 

To convert, run the following script in PowerShell:

 if ($drive = (gwmi win32_volume -Filter "Label = 'System'"))
        {
              Write-Log "Detected a SYSTEM partition...system still in legacy mode."
             
             #This finds as available drive letter
              if (!(test-path H:\))
              {
                $driveletter = 'H'
              }
              elseif (!(test-path I:\))
              {
                $driveletter = 'I'
              }
              elseif (!(test-path J:\))
              {
                $driveletter = 'J'
              }
              elseif (!(test-path K:\))
              {
                $driveletter = 'K'
              }
              elseif (!(test-path L:\))
              {
                $driveletter = 'L'
              }
                        
              $newletter = ($driveletter + ":")
              $drive.DriveLetter = "$newletter"
              $drive.Put() #assigning the drive letter
              Write-Log "Attempting to convert system partition to NTFS...reboot required for changes to take effect."
              $drive.Label | convert.exe $newletter /FS:NTFS /X #converting system partition to NTFS
              $drive = (gwmi win32_volume -Filter "Label = 'System'")
              Write-Log "Removing temporary drive letter"
              Get-Volume -Drive $driveletter | Get-Partition | Remove-PartitionAccessPath -AccessPath "$newletter\" #removing the drive letter so it doesn't show up in file explorer
             $global:status = 3
        }

3. Check Trusted Platform Model (TPM) Health

To check health of TPM on a system, you can launch the TPM snap-in; tpm.msc.

Alternatively, run this PowerShell command:
Get-wmiobject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm or
get-tpm

3.1. Open TPM.msc

Open TPM.msc
  1. On the Windows device, click in the search text box and enter TPM.msc.
  2. Select Run as administrator.

3.2. Confirm TPM Status

Confirm TPM Status
  1. Confirm that the TPM Status is Ready for Use.

3.3. Confirm TPM Status in PowerShell

Confirm TPM Status in Powershell
  1. Open PowerShell as an administrator.
  2. Run the command get-tpm.
  3. Confirm values for TPMPresent and TPMReady Status.

4. Export BitLocker Event Viewer Logs

To export BitLocker event viewer logs, enter the following in an elevated command prompt:
Get-WinEvent -logname 'Microsoft-windows-BitLocker/BitLocker management' -maxevent 30 | export-csv c:\eventviewer.csv

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure remote encryption for Windows 10 devices with Workspace ONE UEM. 

The exercises contained the steps on how to configure a BitLocker Encryption profile and verify that the profile applied. We also explored Workspace ONE UEM device compliance and remediation actions and creating reports, dashboards, and automated actions with Workspace ONE Intelligence.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:

Changelog

Date Description of Changes
2021-07-08
  • Added details on BitLocker To Go.
  • Added details about Bitlocker Suspend and Resume from Device > More Actions.
2021-04-08
  • Updated title of guide.
  • Removed McAfee migration section.
  • Updated BitLocker to include multiple hard drives.
  • Added BitLocker compliance with Workspace ONE UEM.
  • Added reporting with Workspace ONE Intelligence.
  • Updated screenshots and layout of guide.
2018-09-11
  • Initial publication

About the Author and Contributors

This tutorial was written by:

  • Darren Weatherly, Senior Architect, End-User-Computing Technical Marketing, VMware.
  • Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware.

With significant contribution from:

  • Pim van de Vis, Senior Solutions Architect,  End-User-Computing, VMware.
  • Adarsh Kesari, Consulting Architect, End-User-Computing, VMware.
  • Saurabh Jhunjhunwala, Sr. Consultant, End-User-Computing, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Windows 10 Deploy Modern Management