« Back to myAirWatch

Configure an Encryption Profile (Windows Desktop)

Create an Encryption profile to secure your data on Windows Desktop devices using the native BitLocker encryption.

To create an Encryption profile:

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Desktop.
  3. Select Device Profile.
  4. Configure the profile General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the Encryption profile and configure the settings:

    Settings Descriptions
    Encrypted Volume

    Use the drop-down menu to select the type of encryption as follows:

    • Complete Hard Disk – Encrypts the entire hard disk on the device, including the System Partition where the OS is installed.
    • System Partition – Encrypts a partition or drive in the same location Windows is installed and from which it boots.
    Only encrypt used space during initial encryption Enable to limit the BitLocker encryption to only the used space on the drive at the time of encryption.
    Recovery Key URL

    Enter the URL to display on the lock screen directing end users to get the recovery key.

    Consider entering the Self Service Portal URL as AirWatch hosts the recovery key there.

    BitLocker Authentication Settings
    Authentication Mode

    Select the method for authenticating access to a BitLocker encrypted device.

    • TPM — Uses the devices Trusted Platform Module. Requires a TPM on the device.
    • Password — Uses a password to authenticate
    Enforce Encryption PIN on Login Select the check box to require users to enter a PIN to decrypt the device. This option locks out the OS start up and auto-resume from suspend or hibernate until the user enters the correct PIN.
    Use Password if TPM Not present

    Select the check box to use a password as a fallback to decrypt the device if the TPM is unavailable.

    If this settings is not enabled, any devices without a TPM do not encrypt.

    Minimum Password Length

    Select the minimum number of characters a password must be.

    Displays if the Authentication Mode is set to Password or if Use Password if TPM Not Available is enabled.

    BitLocker Static Recovery Key Settings
    Create Static BitLocker Password

    Select the check box if a static recovery key is enabled.

    BitLocker Recovery Password

    Select the Generate icon () to generate a new recovery key.

    Rotation Period Enter the number of days until the recovery key rotates.
    Grace Period Enter the number of days after rotation that the previous recovery key still works.
    BitLocker Suspend
    Enable BitLocker Suspend Select the check box to enable BitLocker Suspension. This functionality suspends BitLocker encryption during a specified time period. Use this feature to suspend BitLocker when updates are scheduled so devices can reboot without requiring end users to enter the Encryption PIN or password.
    Suspend BitLocker Type

    Select the type of suspension.

    • Schedule — Select to enter the specific time period that BitLocker suspends. Then set the schedule repeat to daily or weekly.
    • Custom — Select to enter the day and time to begin and end BitLocker suspension.
    BitLocker Suspend Start Time Enter the time to start BitLocker suspension.
    BitLocker Suspend End Time Enter the time to end BitLocker suspension.
    Scheduled Repeat Type Set whether the scheduled suspension repeats daily or weekly. If you select weekly, select the days of the week to repeat the schedule.
  6. Select Save & Publish when you are finished to push the profile to devices.