Enable BitLocker encryption on a Windows 10 device

Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Standard and Plus; Cloud Identity Premium.  Compare your edition

As an administrator, you can configure encryption for Microsoft Windows 10 devices that are enrolled in Windows device management. BitLocker encryption for Windows devices gives you granular control of drive encryption settings on a device. The most common settings to configure are:

  • Drive encryption
  • Additional startup authentication
  • Pre-boot recovery options
  • Fixed drives encryption
  • Fixed drives recovery options
  • Removable drives encryption

Note: Some settings require other higher-level settings to be enabled first.

Configure drive encryption for Windows 10 devices

Before you begin: Devices must be enrolled in Windows device management for these settings to apply. Learn more

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Mobile & endpointsand thenSettingsand thenWindows settings.
  4. Click BitLocker settings.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Under Drive encryption, select Enabled from the list of items.
  7. Configure the options (open all): Drive encryption
    • Encryption option for system drives–Select the encryption method and the cipher strength of the key for operating system drives.
    • Additional startup authentication–Select whether BitLocker requires additional authentication each time the computer starts and specify if you’re using a Trusted Platform Module (TPM). When enabled, you can set the following:
      • Allow BitLocker without a compatible TPM–Check the box to require either a password or a USB drive is required for startup.
      • Configure TPM startup without a PIN or key–You can require TPM as startup authentication instead of a PIN or key.
      • TPM startup PIN–You can require a 6-digit to 20-digit PIN to be entered before startup. You can also configure the minimum PIN length.
      • TPM startup key–You can require users to authenticate with a TPM startup key to access a drive. A startup key is a USB key with the information to encrypt the drive. When this USB key is inserted into the device, access to the drive is authenticated and the drive is accessible.
      • TPM startup key and PIN–You can require both a startup key and a PIN.
    • Pre-boot recovery options–Enable to set the recovery message or customize the URL provided on the pre-boot key recovery screen when the operating system drive is locked.
    • System drives recovery options–Enable to set options for users to recover data from operating system drives protected by BitLocker. When enabled, you can set the following:
      • Allow data recovery agent–Data recovery agents are individuals whose public key infrastructure (PKI) certificates are used to create a BitLocker key protector. When allowed, these individuals can use their PKI credentials to unlock drives protected by BitLocker.
      • Specify 48-digit recovery password–Select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
      • 256-bit recovery key–Select whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
      • Hide recovery options from BitLocker setup wizard–Check the box to prevent users from specifying recovery options when they turn on BitLocker.
      • Save BitLocker recovery information to Active Directory Domain Services–When checked, you can choose which BitLocker recovery information to store in Active Directory. You can select either the Backup recovery password and key package or the Backup recovery password only. When enabled, you can set the following:
        • Don't enable BitLocker until recovery information is stored in Active Directory–Check the box to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to Active Directory succeeds.
    Fixed drives encryption
    • Fixed drives encryption–Enable to require fixed drives be encrypted before write access is granted. When enabled, you can set the following:
      • Encryption for fixed drives–Select the encryption method and key cipher strength for fixed drives.
      • Fixed drives recovery options–Enable to set options for users to recover data from fixed drives protected by BitLocker. When enabled, you can set the following:
        • Allow data recovery agent–Data recovery agents are individuals whose public key infrastructure (PKI) certificates are used to create a BitLocker key protector. When allowed, these individuals can use their PKI credentials to unlock drives protected by BitLocker.
        • 48-digit recovery password–Select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
        • 256-bit recovery key–Select whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
        • Hide recovery options from BitLocker setup wizard–Check the box to prevent users from specifying recovery options when they turn on BitLocker.
        • Save BitLocker recovery information to Active Directory Domain Services–When checked, you can choose which BitLocker recovery information to store in Active Directory. You can select either the Backup recovery password and key package or the Backup recovery password only. When enabled, you can set the following:
          • Don't enable BitLocker until recovery information is stored in Active Directory–Check the box to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to Active Directory succeeds.
    Removable drive encryption
    • Removable drives encryption–Enable to require all removable drives to be encrypted before write access is given. When enabled, you can set the following:
      • Encryption for removable drives–Select the encryption algorithm and key cipher strength for removable drives. Use AES-CBC 128-bit or AES-CBC 256-bit if the drive is used in devices not running Windows 10, version 1511.
      • Deny write access to devices configured in another organization–When checked, only drives with identification fields matching the computer's identification fields are granted write access. These fields are defined by your organization’s group policy.
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Note: Changes may take up to 24 hours to propagate to all users.

What happens if you switch drive encryption back to "Not configured"

If you select Not configured for Drive encryption, the BitLocker policy you set in the Admin console is no longer enforced. On user devices, the policy reverts to the setting it had before. If the user encrypted the device, no changes are made to the device or data on the device.

Disable drive encryption for Windows 10 devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Mobile & endpointsand thenSettingsand thenWindows settings.
  4. Click BitLocker settings.
  5. If you want to disable a profile for only some users, select an organizational unit from the list on the left. Otherwise, it applies to everyone.
  6. Under Drive encryption, select Disabled from the list of items.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false