Configuration profile settings
Operating system drives
If you want to use BitLocker on the operating system hard disk, you must enable the checkbox. The operating system hard disk will not be encrypted until this option is enabled. If you subsequently disable it, BitLocker will not be disabled on hard drives that are already encrypted.
Warning:
ACMP does not automatically decrypt anything! Existing encryption is retained and must be disabled manually if required using the Disable BitLocker query action.
Note:
If you want to make changes to an existing encryption, you will need to disable BitLocker individually on the selected Clients via a query, so that the disc is then encrypted with the desired settings.
You can also choose from several encryption methods and strengths provided by Microsoft. The encryption mode allows you to specify how much of the hard disk to encrypt: either the entire hard disks (default) or only the used space. If the space is used, BitLocker will continue to encrypt as new files are added. Note that full encryption takes longer.
If BitLocker is enabled on the operating system hard disk, it might be necessary to run a hardware test. This means restarting the client, for example, to check that the key protectors can be applied to the system. You can use the following options to set the criteria for a possible reboot:
| Options | Description |
| Do not restart, but inform the logged in user, that a restart is required: | This option is pre-selected when you enable hardware testing. In this case, a dialogue box informs the current Client that a reboot is required. |
| Do not restart and do not inform the logged in user, that a restart is required: | The hardware test will only be performed when the Client is next restarted. This means that encryption will only start after the next reboot. The user will not be notified. |
| Restart the computer if required: | You can select this option if the Client is not being actively used. This can be the case, for example, if the computer has just been rolled out and BitLocker is enabled on the operating system hard disk shortly afterwards. If you select this option while the Client is running, data may be lost as the Client is immediately and automatically restarted. |
Note:
It is recommended to enable the hardware test.
Key protector for operating system drive
When you enable BitLocker, two key protectors are automatically created on the operating system drive: the TPM (Trusted Platform Module) and the recovery password. In addition, you can use a system start PIN to provide a continuous security mechanism.
Within the configuration, you can select a backup method for the restore information (No backup, Backup to Active Directory, or Backup to Azure Active Directory). If you select the Backup to Active Directory or Backup to Azure Active Directory method, your Domain Controller must have the BitLocker feature installed for it to work. Otherwise, the backup may not contain recovery information.
You can configure the minimum length and character set of the system start PIN. The default is 4 characters, but you can set a maximum length of 20 characters. For the character set, you can choose between Alphanumeric or Numeric. Note that the Alphanumeric option uses both digits and upper and lower case letters.
The PIN can either be generated automatically during activation or entered by the logged-in user. If the PIN is to be generated by ACMP, it can be viewed in the Client Details. If you subsequently activate or deactivate the PIN, it will be changed for existing encryptions according to the settings made on the Client.
Fixed data drives
Select the checkbox to enable BitLocker on fixed data drives. A fixed data drive is one that is permanently installed and cannot be changed. Next, select which fixed data drives you want to encrypt: all or selected drives. Either all fixed data drives detected on your client will be encrypted, or only those you select manually.
Note:
In rare cases, external drives may be recognised and identified by the operating system as internal drives and therefore encrypted. To avoid this, select the Encrypt only selected fixed hard drives option and specify the drive letters to be encrypted.
Warning:
If you remove the encryption of the fixed data drives from the configuration profile, or even remove individual drive letters from the set of managed disks, BitLocker will not be disabled on the already encrypted disks. If you want to disable BitLocker on these disks, you must do so manually using the Disable BitLocker query action. ACMP does not decrypt anything automatically!
As with the operating system disks, you can also select the encryption methods, strength and mode for the fixed data disks. This is where you specify how the fixed data drives are encrypted.
Key protector for fixed data drives
A recovery password is automatically set and used for the hard disk key protectors. Optionally, you can use a password as an additional security mechanism. Select the Use password checkbox and specify the length of the password (the minimum length is 8 characters). The password can either be generated automatically during activation or entered by the logged-in user. If you want ACMP to generate the password, it can be viewed in the Client Details. If you subsequently activate or deactivate the password, it will be changed for existing encryptions according to the settings made on the Client.
You can select the Enable auto-unlock of drives option if you do not want to enter the password again after booting the system. In this case, the unlocking of the hard drives will be automatic and no further authentication will be required.
Note:
The Enable auto-unlock of drives option can only be selected if the operating system drive is enabled and encrypted.
Removable data drives
For removable data drives, you can specify whether to deny write access to removable data drives that are not protected by BitLocker.