Configuration profile settings
Operating system drives
If you want to use BitLocker on the operating system hard disk, you must enable the checkbox. The operating system hard disk will not be encrypted until this option is enabled. If you subsequently disable it, BitLocker will not be disabled on hard drives that are already encrypted.
You can also choose from several encryption methods and strengths provided by Microsoft. The encryption mode allows you to specify how much of the hard disk to encrypt: either the entire hard disks (default) or only the used space. If the space is used, BitLocker will continue to encrypt as new files are added. Note that full encryption takes longer.
If BitLocker is enabled on the operating system hard disk, it might be necessary to run a hardware test. This means restarting the client, for example, to check that the key protectors can be applied to the system. You can use the following options to set the criteria for a possible reboot:
Options | Description |
Do not restart, but inform the logged in user, that a restart is required: | This option is pre-selected when you enable hardware testing. In this case, a dialogue box informs the current Client that a reboot is required. |
Do not restart and do not inform the logged in user, that a restart is required: | The hardware test will only be performed when the Client is next restarted. This means that encryption will only start after the next reboot. The user will not be notified. |
Restart the computer if required: | You can select this option if the Client is not being actively used. This can be the case, for example, if the computer has just been rolled out and BitLocker is enabled on the operating system hard disk shortly afterwards. If you select this option while the Client is running, data may be lost as the Client is immediately and automatically restarted. |
Key protector for operating system drive
When you enable BitLocker, two key protectors are automatically created on the operating system drive: the TPM (Trusted Platform Module) and the recovery password. In addition, you can use a system start PIN to provide a continuous security mechanism.
You can configure the minimum length and character set of the system start PIN. The default is 4 characters, but you can set a maximum length of 20 characters. For the character set, you can choose between Alphanumeric or Numeric. Note that the Alphanumeric option uses both digits and upper and lower case letters.
The PIN can either be generated automatically during activation or entered by the logged-in user. If the PIN is to be generated by ACMP, it can be viewed in the Client Details. If you subsequently activate or deactivate the PIN, it will be changed for existing encryptions according to the settings made on the Client.
Fixed data drives
Select the checkbox to enable BitLocker on fixed data drives. A fixed data drive is one that is permanently installed and cannot be changed. Next, select which fixed data drives you want to encrypt: all or selected drives. Either all fixed data drives detected on your client will be encrypted, or only those you select manually.
As with the operating system disks, you can also select the encryption methods, strength and mode for the fixed data disks. This is where you specify how the fixed data drives are encrypted.
Key protector for fixed data drives
A recovery password is automatically set and used for the hard disk key protectors. Optionally, you can use a password as an additional security mechanism. Select the Use password checkbox and specify the length of the password (the minimum length is 8 characters). The password can either be generated automatically during activation or entered by the logged-in user. If you want ACMP to generate the password, it can be viewed in the Client Details. If you subsequently activate or deactivate the password, it will be changed for existing encryptions according to the settings made on the Client.
You can select the Enable auto-unlock of drives option if you do not want to enter the password again after booting the system. In this case, the unlocking of the hard drives will be automatic and no further authentication will be required.
Removable data drives
For removable data drives, you can specify whether to deny write access to removable data drives that are not protected by BitLocker.