Skip to main content
This Library Item is available for Windows devices
The BitLocker Library Item lets you configure and enforce BitLocker encryption settings on Windows devices. BitLocker provides full-disk encryption to protect data at rest, ensuring that sensitive information can’t be accessed if a device is lost or stolen. Some configuration options require a Microsoft Entra ID–joined device. Settings are divided into General, System (OS) drives, Fixed (internal) drives, and Removable (external) drives.
For more details on BitLocker configuration and requirements, see Microsoft’s BitLocker documentation.

Create a BitLocker Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select BitLocker

Search for and select BitLocker.
3

Name the Library Item

Give the Library Item a Name.
4

Assign to Blueprints

Assign it to one or more Blueprints.

Settings

General

  • Require BitLocker encryption Enforces encryption on the device.
  • Prompt user to enable BitLocker
    • When enabled, users see a prompt to turn on BitLocker.
    Requires an Entra ID–joined device.
  • Configure identification fields Allows you to define identification metadata for BitLocker.

System (OS) Drives

  • System drive encryption type Defines the encryption method used by BitLocker.
  • Allow BitLocker without a compatible TPM If enabled, requires a startup password or USB drive for authentication on systems without TPM.
  • Startup authentication policy Controls whether BitLocker requires additional authentication (e.g., PIN, USB key) at startup.
  • Permit enhanced PINs Allows enhanced PINs with uppercase, lowercase, numbers, symbols, and spaces.
  • Allow standard users to change BitLocker volume PINs Lets standard users (users without administrator rights on the device) change BitLocker PINs if they know the existing PIN.
  • Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN Exempts compliant devices from requiring pre-boot authentication.
  • Required minimum PIN length Sets minimum TPM startup PIN length (4–20 digits, default is 6).
  • Configure system drive recovery options Determines how recovery information is handled when startup keys are missing.
  • Customize recovery screen Optionally customize the recovery message or URL displayed during recovery.

Fixed (Internal) Drives

  • Require BitLocker for write access to fixed (internal) drives When enabled, fixed drives without BitLocker protection are mounted as read-only.
  • Configure fixed (internal) drive recovery options Defines recovery behavior when credentials are unavailable.

Removable (External) Drives

  • Allow users to apply BitLocker protection on removable drives Permits users to run the BitLocker setup wizard for removable drives.
  • Allow users to suspend and decrypt BitLocker on removable data drives Lets users pause or remove BitLocker protection for maintenance.
  • Require BitLocker for write access to removable (external) drives When enabled, removable drives without BitLocker are mounted as read-only.

Considerations

  • Enabling strict policies (such as requiring TPM or write access restrictions) may block users from accessing drives until BitLocker is properly enabled.
  • Use recovery configuration options to ensure that you can regain access if users forget PINs or lose recovery keys.
  • Testing in a small pilot group before broad deployment is recommended.

Recovery Key Storage

Recovery keys can be stored in different locations depending on the device’s configuration and join state:
When recovery keys are backed up to Active Directory or Entra, administrators can retrieve them and assist users who are locked out. This requires that the device be domain-joined (for AD) or Entra-joined.
Using a centralized directory service (Active Directory or Entra ID) is strongly recommended for enterprise environments so that administrators can provide recovery assistance.
Recovery keys can also be backed up to a personal Microsoft account (such as Outlook.com or Hotmail). In this case, only the end user can access the recovery key; administrators cannot retrieve it.
Keys saved to USB can be used by the end user to recover their own device, but administrators cannot access these keys centrally.

Best Practices

1

Plan your deployment

Test BitLocker policies on a small group of devices before rolling out to your entire fleet.
2

Configure recovery options

Set up appropriate recovery key storage options based on your organization’s needs and security requirements.
3

Document policies

Clearly document BitLocker policies and recovery procedures for your IT team and end users.
4

Monitor compliance

Regularly check that devices are properly encrypted and compliant with your BitLocker policies.

Troubleshooting

Possible causes:
  • Device not Entra ID–joined (for some features)
  • TPM not available or not enabled
  • Insufficient disk space
Solutions:
  • Verify device join status
  • Check TPM availability in Device Manager
  • Ensure adequate free disk space
Possible causes:
  • Recovery key not backed up to directory service
  • User account issues
  • Network connectivity problems
Solutions:
  • Verify recovery key backup configuration
  • Check user account status
  • Ensure network connectivity for directory services
Possible causes:
  • Encryption process still in progress
  • Hardware limitations
  • Software conflicts
Solutions:
  • Wait for encryption to complete
  • Check device hardware specifications
  • Review installed software for conflicts
For recovery key management, refer to Microsoft’s BitLocker recovery guide.