Enabling BitLocker Encryption to Remote Windows 10 Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE 2102 and later

Overview

Introduction

This tutorial helps you to configure remote encryption for Windows 10 devices with VMware Workspace ONE® UEM (unified endpoint management).

In these exercises, we will configure a BitLocker Encryption profile and verify that the profile has been applied to devices.

We will also explore Workspace ONE UEM device compliance and remediation actions; and creating reports, dashboards, and automated action with VMware Workspace ONE® Intelligence. 

The steps are sequential and build upon one another. Ensure that you complete the steps in order.

What Is BitLocker Encryption

Consumer Simple Encryption

When it comes to BitLocker encryption for Windows 10 devices, the security by design approach provides the best user experience. Security by design implements device encryption in a way that feels like a non-disruptive, natural part of the device experience.

Enterprise Secure Devices

Create a BitLocker encryption profile to keep Windows 10 device data enterprise secure. After the profile is configured, Workspace ONE Intelligent Hub automatically enforces encryption settings as part of the device’s general security posture. Use the Workspace ONE UEM compliance engine to ensure devices remain compliant.

For more information, see Microsoft Docs: BitLocker Overview.

Solving Current Device-Encryption Challenges

Two security principles that are top of mind when dealing with device encryption are least privilege and separation of duties.

Workspace ONE UEM leverages role-based access controls (RBAC) for admins, allowing you to grant access to view recovery keys only to the admins who require access. 

In addition to RBAC, Workspace ONE UEM logs each action of viewing a recovery key by each admin to the console event logs, which can also be sent to your preferred Syslog provider. This allows for InfoSec to audit admin access to recovery keys to prevent rogue admins from capturing all recovery keys, for example.

Workspace ONE UEM BitLocker encryption also helps in the following ways:

Current Device Encryption Challenges Workspace ONE UEM BitLocker Encryption
Additional license costs with third-party tools Eliminate third-party license cost
Another third-party agent for encryption
Single agent for all advanced management capabilities
Inability to enforce encryption locally on the device
Local enforcement for off-network & off-domain devices
No separation of duties for admins
Granular, role-based access controls
Complex management via GPOs/scripts
Simple profile with comprehensive controls
Recovery key management
Auto escrowing of recovery keys
High help desk costs for end-user recovery
Self-service portal key retrieval

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, Windows Updates, and directory services. 

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Workspace ONE UEM Documentation and VMware Docs: Encryption Profile (Windows Desktop)

Workspace ONE Requirements

Ensure that you have the following Workspace ONE components installed and configured:

  • A Workspace ONE UEM tenant with admin access to:
    • Enroll a Windows 10 device into the Workspace ONE UEM environment.
    • Configure and deploy a BitLocker policy.
    • Workspace ONE self-service portal URL for retrieval of the recovery keys.
  • Workspace ONE Intelligence with admin access to:
    • Configure reports, dashboards, and automations.  

For more details about BitLocker profiles, see VMware Docs: Windows Desktop Encryption Profile.

Windows 10 Device Requirements

On the Windows 10 device, check that you have the following components installed and configured:

  • Windows Pro, Enterprise, or Education device - enrolled in Workspace ONE UEM. 
  • Disk with Two partition minimum.
  • 350 MB boot partition with the appropriate format:
    • NTFS Mode — Use if booting in legacy BIOS mode.
    • FAT32 Mode — Use if booting in UEFI mode.
  • TPM version 1.2 or later.
    • Workspace ONE can provide encryption for devices without TPM. The best practice is to use devices with TPM.
  • Meet Windows system requirements for BitLocker.

For additional assistance and information, see:

Enabling BitLocker Encryption with Workspace ONE UEM

Configuring BitLocker Encryption in Workspace ONE UEM

Profiles allow you to modify how the enrolled devices behave. This section helps you configure and deploy BitLocker encryption using a profile, and verify that the profile has been applied to the device.

Configure BitLocker Encryption in Workspace ONE UEM consists of the following tasks:

  1. Add Windows 10 Device Profile.
  2. Configure Profile General Settings.
  3. Configure BitLocker Encryption Settings.
  4. Configure BitLocker Authentication Settings.
  5. Configure BitLocker Static Recovery Key Settings.
  6. Configure BitLocker Suspend.
  7. Assign and Review BitLocker Profile in Workspace ONE UEM.

1. Add Windows 10 Device Profile

Add Windows 10 device profile when configuring BitLocker for Windows 10.
  1. In the Workspace ONE UEM console, select Add.
  2. Select Profile.

2. Select the Windows Platform

Select the Windows Platform in Workspace ONE UEM admin console when configuring BitLocker encryption.
Select the Windows Desktop when configuring Windows 10 encryption in the Workspace ONE UEM console.
Select the device profile when configuring BitLocker for Windows 10.
  1. Select the Windows platform.
  2. For the Device Type, select Windows Desktop.
  3. Select the Context of the profile to Device.

3. Configure Profile General Settings

Define General Settings when configuring Windows 10 BitLocker.
  1. Select General if it is not already selected.
  2. Enter a profile name in the Name text box, for example, BitLocker Encryption.
  3. Click in the Assigned Groups text box.
    • This will pop up the list of created Assignment Groups. Select the Assignment Group you want to deploy the profile to.
  4. Select the Encryption payload and click Configure.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

4. Configure BitLocker Encryption Settings

Configure BitLocker Encryption Settings in the Workspace ONE UEM console.
  1. Select OS Drive and All Fixed Hard Drives from the Encrypted Volume drop-down menu.
    • Choosing this option encrypts the entire hard disk on the device, including the System Partition where the OS is installed and any additional drives.
  2. Leave Encryption Method set to System Default.
    • When you select another encryption method such as XTS AES 128 bit from the Encryption Method drop-down menu, another option will appear.
    • Use the option Default to the System Encryption Method as a fail-safe for devices that do not support the selected encryption method.
    • For example, selecting this setting ensures that Windows 10 1507 and below devices—which do not support XTS encryption—will still get encrypted.
  3. Enable Only Encrypt Used Space During Initial Encryption to reduce the time required for encryption.

    Important: The drive’s unused space remains unencrypted, potentially placing confidential data at risk.

  4. Enter the Self-Service Portal URL, https://[Your Device Services Host Name]/MyDevicein the Custom URL for the Recovery text box.
    • This URL displays on the lock screen and directs end users to their recovery key.

      Tip: URL shorteners and URL redirections can be used to help users to remember the URL.
      For example https://staff.comany.com/mydevice (redirecting to the Workspace ONE UEM Self-Service Portal URL).

5. Configure BitLocker Authentication Settings

 Configure BitLocker Authentication Settings for BitLocker encryption in the Workspace ONE admin console.
  1. Using the scroll bar on the right, scroll down to the BitLocker Authentication Settings section.
  2. Select TPM as the Authentication Mode to use the device’s Trusted Platform Module to authenticate.
  3. Select Require PIN at startup. 
    • This option locks out the OS start up and auto-resume from suspend or hibernate until the user enters the correct PIN.
  4. Specify the Pin Length to match organizational complexity requirements. For example, enter 4.
  5. Select Use Password if TPM Not Present to use a password as a fallback if TPM is unavailable.
    • If deselected, devices that do not have TPM do not encrypt.
  6. Configure Minimum Password Length to match organizational complexity requirements.
    • For example, enter 8. Settings apply to the Password Authentication Mode, and the setting Use Password if TPM Not Available.

6. Configure BitLocker Static Recovery Key Settings

Configure Bitlocker Recovery Key Static Settings in the Workspace ONE admin console.
  1. Using the scroll bar on the right, scroll down to the BitLocker Static Recovery Key Settings section.
  2. Select Create Static BitLocker Recovery Key to create a shared key for a group of devices. This simplifies key recovery for IT personnel who use the shared key to unlock devices.
  3. Click the arrow icon to generate a static recovery key.
  4. Enter 28 or any value greater than 0 into the Rotation Period text box to create a rotation schedule. Enter 0 to opt out of the rotation schedule.
  5. Enter 7 into the Grace Period text box to specify the number of days after rotation that the previous recovery key still works.

7. Configure BitLocker Suspend

  1. Using the scroll bar on the right, scroll down to the BitLocker Suspend section.
  2. Select Enable BitLocker Suspend.
    • This suspends BitLocker encryption during maintenance periods and allows devices to reboot without end-user interaction.
    • This setting is particularly important for kiosk or shared devices or updating device drivers or some windows updates.
  3. Select Schedule from the Suspend BitLocker Type drop-down menu. This suspends BitLocker during a specific time period that repeats daily or weekly.
  4. Enter the suspend start and end time.
    • BitLocker Suspend Start Time  Set to 11:00 PM
    • BitLocker Suspend End Time  Set to 6:00 AM
  5. Select Daily from the Scheduled Repeat Type drop-down menu.
  6. Click Save & Publish, review the devices assigned, and select Publish.

8. Review BitLocker Profile in Workspace ONE UEM

Review BitLocker for Windows 10 profile in the Workspace ONE UEM admin console.
  1. In the Workspace ONE UEM Console, navigate to Resources then Profiles and Baselines, then Profiles.
  2. Search for the BitLocker Encryption Profile. The BitLocker Encryption Profile now appears in the Device Profiles list view.

Verifying BitLocker Encryption Settings

Now that you have configured and deployed BitLocker encryption using a profile, you verify that the profile has applied to the device.

Confirming BitLocker Encryption consists of the following tasks:

  1. Verify Encryption Status in the Workspace ONE UEM Console.
  2. Confirm Encryption in Windows 10 Device Settings.
  3. Confirm Encryption in Elevated Command Prompt (Optional).

On your Windows 10 device, follow the steps to confirm that the encryption settings have applied.

1. Verify Encryption Status in the Workspace ONE UEM Console

There are a few different locations in the Workspace ONE UEM console where you can view the device's encryption details. Let's explore these.

Important:

The Workspace ONE UEM console displays device encryption details specific to BitLocker and not any third-party anti-virus encryption (for example, McAfee).

For details on how to get third-party anti-virus encryption details, we recommend using Workspace ONE Sensors.

1.1. Navigate to Device Details Tab

Encryption Status for Windows 10 BitLocker inWorkspace ONE UEM Device Details Tab.

Select a device in the Workspace ONE UEM console and ensure that you are in the Devices Details view.

  1. Navigate to the device Summary tab.
  2. Review BitLocker Status details in the Security section.

1.2. Navigate to Device Security Tab

Check Windows 10 BitLocker Encryption Status in Workspace ONE UEM Device Security Tab.
  1. Navigate to the Security tab. Select it from the drop-down list if necessary.
  2. Review BitLocker Encryption details and statuses.

2. Confirm BitLocker Encryption in Windows 10 Device Settings

Encryption can also be confirmed on the device itself. The following steps detail how to confirm BitLocker encryption on the device.

2.1. Open BitLocker

Confirm BitLocker encryption status in the BitLocker app.
  1. In the Windows search bar, enter BitLocker.  
  2. Select Manage BitLocker.

2.2. Verify that BitLocker Encryption is Enabled

 Verify Bitlocker Encryption is Enabled.
  1. Confirm that BitLocker Encryption is on or is still currently encrypting.

3. Confirm Encryption in Elevated Command Prompt (Optional)

 Confirm Encryption in Elevated Command Prompt (Optional).
  1. In the Windows Search bar, enter Command Prompt.
  2. Select Run As Administrator.
 Confirm BitLocker Encryption in Elevated Command Prompt (Optional)
  1. For a more detailed view, launch an elevated command prompt and enter manage-bde -status.
  2. Review the Encryption details of each hard drive.
  3. Review the properties of each status. For example Encryption Method and Percentage Encrypted.

Working with BitLocker Encryption Policy for Multiple Hard Drives

When you are working with a BitLocker encryption policy for multiple hard drives, the encryption method must be the same for all hard drives.

For example:

✅ Supported ❌ NOT Supported

 ✅ C: Drive using XTS 256 bit &

✅ D: Drive using XTS 256 bit

 ❌ C: Drive using XTS 128 bit &

❌ D: Drive using XTS 256 bit

After you have completed Confirming Encryption in Windows 10 Device Settings, perform the following:

Note: BitLocker authentication policies and suspension policies apply to the device, not for each individual drive. 

If you set the TPM for BitLocker authentication, it will be used for all encrypted drives.

1. Review BitLocker Policy

Review BitLocker Encryption Policy in Workspace ONE UEM.
  1. Review the BitLocker policy and ensure the Encrypted Volume is set to OS Drive and All Fixed Hard drives.

2. Review Multiple Hard Drives

Review Windows 10 BitLocker Encryption Status in the Workspace ONE UEM Device Security Tab.
  1. Navigate to the Security tab, you might need to select it from the drop-down list.
  2. Review BitLocker Encryption details and statuses for all hard drives.
Review BitLocker recovery keys in the Workspace ONE UEM console.
  1. Toggle between the drive letters to see the Recovery keys. In this example, we have two additional fixed drives.
  2. Review the Personal Recovery Key and the Static Recovery Key.

Note: The Static Recovery Key will remain the same for all encrypted drives.

Understanding BitLocker Suspend and Resume

You can configure BitLocker encryption to temporarily Suspend and Resume during a specific time, repeating daily or weekly. 

For example, suppose you need to install new software that BitLocker might otherwise block. In that case, you can suspend BitLocker, then resume BitLocker protection on the drive again when you have completed the action during the suspension times.

Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. Instead, the suspension makes the key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

While suspended, BitLocker does not validate system integrity at start-up. You might suspend BitLocker protection for firmware upgrades or system updates.

For more information, see Microsoft Docs: BitLocker Suspend.

For configuration options, Review Configure BitLocker Suspend and Resume.

Understanding BitLocker Recovery Keys

Understanding Recovery Keys

BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. 

Workspace ONE UEM leverages role-based access controls (RBAC) for admins, allowing you to grant access to view recovery keys only to the admins who require access.  

End-Users can log into Self-Service Portal for BitLocker Recovery Key Retrieval. Roles Based Access Controls (RBAC) are available for the Self Service Portal controls to turn this feature off.

There are many different scenarios where a machine may prompt a user for the Recovery Key on reboot. These are well documented in the Microsoft Docs: BitLocker recovery guide.

Important: Ensure that you read What causes BitLocker recovery in the Microsoft Docs: BitLocker recovery guide. Having a Recovery Key process plan is critical for users to get back into their Windows devices.

Review BitLocker recovery keys for multiple hard drives in the Workspace ONE UEM Console.
  1. Toggle between the drive letters to see the Recovery keys. In this example, we have additional fixed drives.
  2. Review the Personal Recovery Key and the Static Recovery Key.

Access Recovery Key in the Self-Service Portal

 Accessing BitLocker Recovery Keys in the Self service portal.
  1. Navigate to the Self-Service Portal URL and log in.
    • For example, your Self Service URL will be  https://[Your Device Services Host Name]/MyDevice
  2. Click Go To Details.
 Accessing BitLocker Recovery Keys in the Self service portal.
  1. Expand the More tab.
  2. Select Security.
 Accessing Recovery Key in the Self service portal
  1. Navigate to Encryption to find the recovery key.

Enter the Recovery Key

 Entering the BitLocker Recovery Key at the Windows prompt.
  1. Enter the BitLocker Recovery key.
  2. In the policy, we set up a self-service URL; the Self Service URL appears here.

For testing purposes, to force a drive into recovery, open Windows PowerShell as an administrator and enter  the following command:

Replace "C:" with the drive letter.

manage-bde C: –forcerecovery

Configuring Compliance Policy for Device Encryption

Configuring Device Compliance for BitLocker Encryption

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by your policies. These policies can include basic security settings such as device encryption status. The Workspace ONE compliance engine detects whether or not encryption is enabled on the device. Windows supports all third-party encryption solutions, therefore Workspace ONE can set a compliance policy around encryption, even if the device has been encrypted using a third-party encryption tool.

When devices are determined to be out of compliance, the compliance engine warns users to address compliance errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a message to notify the user that their device is out of compliance.

You can automate escalations when corrections are not made, for example, locking down the device, marking the device as noncompliant to trigger Zero-Trust access policies with Workspace ONE Access, and notifying the user of any remediation steps. These escalation steps, disciplinary actions, grace periods, and messages are all customizable with the Workspace ONE UEM console.

For more information on Workspace ONE compliance policies, see VMware Docs: Compliance Policies.

1. Add Compliance Policy

Add Compliance Policy in Workspace ONE UEM for Windows 10 BitLocker.
  1. In the Workspace ONE UEM console, select Add.
  2. Select Compliance Policy.

2. Select the Windows Platform

Select the Windows platform in Workspace ONE UEM for BitLocker encryption.
Select the Windows Desktop in Workspace ONE UEM when configuring Windows 10 BitLocker.
  1. Select the Windows platform.
  2. For the Device Type, select Windows Desktop.

3. Add Compliance Policy Rule

Add Compliance Policy Rule in Workspace ONE UEM when configuring BitLocker for Windows 10.
Add Compliance Policy Rule in Workspace ONE UEM when configuring Windows 10 BitLocker.
  1. Select the Rules tab.
  2. Select Encryption as the compliance flag.
  3. Change the Rule to Is.
  4. Select compliance value.
    • Drop-down values include Not Applied to System Drive, Not Applied to Some Drives or Suspended.
  5. For BitLocker Status of Not Applied to Some Drives or Suspended, the Workspace ONE Intelligent Hub 2101 or later is required.

4. Add Compliance Policy Action

Add Compliance Policy Action in Workspace ONE UEM when configuring BitLocker encryption.

Define the consequences of noncompliance within your policy by completing the Actions tab.

  1. Select the Actions tab.
  2. Select Command as an Action.
  3. Select Request Device Check In as the Command.
    • This ensures that the device has checked into the Workspace ONE UEM console with the latest information. You can re-evaluate the compliance Rule in the Compliance tab of the device details.
  4. Select Notify as an Action.
  5. Select Send Email to User.
    • This sends a compliance email to the end user with remediation actions they can take.
    • You can select the default template, or customize the compliance templates based on the compliance rule.
  6. Select Profile as an Action.
  7. Select from
    • Install Compliance Profile - Install a compliance profile.
    • Block Remove Profile - Block or remove a specific profile - For example, Certificates.
    • Block Remove ALL Profiles - Remove all Profiles from the device until the device is compliant.
  8. At any escalation step, you can mark the device as non-compliant. This will trigger any conditional access policies you may have set within Workspace ONE Access.
  9. Click Next.

Tip: The Mark as Not Compliant check box is enabled (selected) by default for each newly added Action.

Tip: If one action has the Mark as Not Compliant option enabled, then all subsequent actions and escalations are also marked as not compliant. These subsequent check boxes cannot be edited.

5. Assign the Compliance Policy

Assign the Compliance policy in Workspace ONE UEM for Windows 10 BitLocker.
  1. Ensure that you are on the Assignment tab.
  2. Select a Smart Group to apply the device compliance policy to.
  3. Click View Device Assignment to see the devices.

6. View Device Policy Assignment

View Device Policy Assignment in Workspace ONE UEM for Windows 10 BitLocker.
  1. Selecting View Device Assignment allows you to review the devices assigned to the compliance policy.

7. Activate the Compliance Policy

Activate the Compliance Policy in Workspace ONE UEM for Windows 10 encryption.
  1. Ensure that you are on the Summary tab.
  2. Enter a Name for the Compliance Policy.
    • For example, Encryption.
  3. Enter a description for the Compliance Policy.
    • For example, Encryption. You might also want to specify in the description how a similar Encryption Compliance Policy will differ.
  4. Review the Device Summary.
    • This displays how many devices in total have been assigned the Compliance Policy. This also displays how many devices are currently Compliant and how many are Non-Compliant.
    • Use this information before you activate compliance policies. If your remediation action might cause calls to the help desk, you can apply the compliance policy in stages - or maybe extend the Escalated Actions to 7 days instead of 1 day, for example.
  5. Click Finish and Activate.
    • This activates the policy and compliance actions are sent to the devices.

8. Review Compliance Policy

Review Compliance Policy for Windows 10 encryption in Workspace ONE UEM.

Navigate to Devices > Compliance Policies > List View.

  1. Ensure that the Encryption policy is active and review the Compliant status.

Automating Reports for Device Encryption

Creating Reports for Windows 10 Encryption

Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire end-user computing environment. 

In this exercise, you will use Workspace ONE Intelligence to generate a report displaying the Windows Device Encryption Details.

Before you begin, ensure that Workspace ONE Intelligence is set up and configured ready to generate the report.

For more information on this initial setup, see Getting Started with Workspace ONE Intelligence Reports and Dashboards: Workspace ONE Operational Tutorial.

1. Create Reports with Workspace ONE Intelligence

Create Workspace ONE Intelligence Reports for Windows 10 BitLocker.

Navigate to the Workspace ONE Intelligence console.

  1. Select the Reports tab.
  2. Click Add.

2. Add Report

Add Report in Workspace ONE Intelligence for BitLocker encryption.
  1. Select Custom Report and click Start.

3. Add Report Category

 Add Report Category in Workspace ONE Intelligence when configuring BitLocker for Windows 10.
  1. Under Category, select Workspace ONE UEM, then select Devices.

4. Configure Report Details

 Configure Report Details in Workspace ONE Intelligence for Windows 10 encryption.
  1. Enter a report name.
    • In this example, the report is called Windows Desktop Encryption Status.
  2. In the filters, select the following:
    • Enrollment Status - Equals - Enrolled.
    • This ensures that we are pulling in a report on currently enrolled devices.
  3. Click the plus icon + to add the following filters:
    • Platform - Includes - Windows Desktop
  4. Click Refresh Preview to see the latest data.
  5. Next, we will edit the fields displayed. Select the edit columns option.

5. Edit Workspace ONE Reports Columns

 Editing Workspace ONE Intelligence Reports Columns when using BitLocker for Windows 10.
  1. Use the Search function to search for columns to add to the report.
  2. Expand the column categories to see all available columns.
  3. Select the column that you want to add.
  4. Click Add to add the column. This will appear on the right.
  5. Use the Remove buttons to remove columns from the report.
  6. Use the up and down arrows to change the column order.
  7. When you are satisfied with the arrangement of your report data, click Save.

Tip: In this example report, we use the following columns:

  • Enrollment Date
  • Last Seen
  • Ownership
  • Compliance Status
  • Encryption Status
  • bitlocker_encryption_method
  • Friendly Name
  • Username
  • First Name
  • Last Name
  • Email
  • OS Version
  • Device Name
  • Serial Number
  • Device Organization Group Name
  • Model

6. Review Report Data

 Review Report Data in Workspace ONE Intelligence for Windows 10 BitLocker.
  1. Click Refresh Preview to see the preview of the current data.
  2. Review the report data and make any adjustments as necessary and ensure that you select Save.

Pro Tip: The field bitlocker_encryption_method comes from Workspace ONE Sensors. Ensure that Sensors are assigned to devices, so they can report back data.

7. Edit, Run, Schedule, or Download the Report

 Edit, Run, Schedule or download the Windows 10 Device Encryption report.

You have now configured a report with data displaying Windows 10 Device Encryption details.

  1. Select Edit to make any changes.
  2. Click Run to run the report.
  3. Select View to view report downloads.
  4. Select Add Schedule to automate data collection and collaboration.

Troubleshooting BitLocker

Troubleshooting BitLocker

This section covers general troubleshooting information for BitLocker encryption.

1. BitLocker Drive Preparation Tool

The Workspace ONE Intelligent Hub for Windows automatically runs the BitLocker drive preparation tool to ensure that the partition requirements are met. You can run this command manually to test if there are compatible partitions. From an elevated command prompt, enter the following command:
bdehdcfg.exe -driveinfo

To prepare the drive, run the following commands in an elevated command prompt:

  • bdehdcfg.exe -target c: shrink 
  • Bdehdcfg.exe -target c: merge
  • Bdehdcfg.exe -target default

Note: If you manually run these commands, we recommend adding the -skiphardwaretest switch so that the system does not require a reboot.

2. Use PowerShell Script to Convert FAT32 to NTFS System Partition

If you have upgraded your Windows 7 systems to Windows 10 and kept them in legacy BIOS mode, the system partition might still be FAT32. You must convert from FAT32 to NTFS for BitLocker to activate. 

Note: FAT32 system partition works on Unified Extensible Firmware Interface (UEFI) systems. 

To convert, run the following script in PowerShell:

 if ($drive = (gwmi win32_volume -Filter "Label = 'System'"))
        {
              Write-Log "Detected a SYSTEM partition...system still in legacy mode."
             
             #This finds as available drive letter
              if (!(test-path H:\))
              {
                $driveletter = 'H'
              }
              elseif (!(test-path I:\))
              {
                $driveletter = 'I'
              }
              elseif (!(test-path J:\))
              {
                $driveletter = 'J'
              }
              elseif (!(test-path K:\))
              {
                $driveletter = 'K'
              }
              elseif (!(test-path L:\))
              {
                $driveletter = 'L'
              }
                        
              $newletter = ($driveletter + ":")
              $drive.DriveLetter = "$newletter"
              $drive.Put() #assigning the drive letter
              Write-Log "Attempting to convert system partition to NTFS...reboot required for changes to take effect."
              $drive.Label | convert.exe $newletter /FS:NTFS /X #converting system partition to NTFS
              $drive = (gwmi win32_volume -Filter "Label = 'System'")
              Write-Log "Removing temporary drive letter"
              Get-Volume -Drive $driveletter | Get-Partition | Remove-PartitionAccessPath -AccessPath "$newletter\" #removing the drive letter so it doesn't show up in file explorer
             $global:status = 3
        }

3. Check Trusted Platform Model (TPM) Health

To check health of TPM on a system, you can launch the TPM snap-in; tpm.msc.

Alternatively, run this PowerShell command:
Get-wmiobject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm or
get-tpm

3.1. Open TPM.msc

Open TPM.msc
  1. On the Windows device, click in the search text box and enter TPM.msc.
  2. Select Run as administrator.

3.2. Confirm TPM Status

Confirm TPM Status
  1. Confirm that the TPM Status is Ready for Use.

3.3. Confirm TPM Status in PowerShell

Confirm TPM Status in Powershell
  1. Open PowerShell as an administrator.
  2. Run the command get-tpm.
  3. Confirm values for TPMPresent and TPMReady Status.

4. Export BitLocker Event Viewer Logs

To export BitLocker event viewer logs, enter the following in an elevated command prompt:
Get-WinEvent -logname 'Microsoft-windows-BitLocker/BitLocker management' -maxevent 30 | export-csv c:\eventviewer.csv

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure remote encryption for Windows 10 devices with Workspace ONE UEM. 

The exercises contained the steps on how to configure a BitLocker Encryption profile and verify that the profile applied. We also explored Workspace ONE UEM device compliance and remediation actions and creating reports, dashboards, and automated actions with Workspace ONE Intelligence.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management Activity Path

The content in this section helps you establish a basic understanding of Windows 10 management in the following categories:

Changelog

Date Description of Changes
2021-04-08
  • Updated title of guide.
  • Removed McAfee migration section.
  • Updated BitLocker to include multiple hard drives.
  • Added BitLocker compliance with Workspace ONE UEM.
  • Added reporting with Workspace ONE Intelligence.
  • Updated screenshots and layout of guide.
2018-09-11
  • Initial publication

About the Author and Contributors

This tutorial was written by:

  • Darren Weatherly, Senior Architect, End-User-Computing Technical Marketing, VMware.
  • Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware.

With significant contribution from:

  • Adarsh Kesari, Consulting Architect, End-User-Computing, VMware.
  • Saurabh Jhunjhunwala, Consultant, End-User-Computing, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Windows 10 Deploy Modern Management