Encryption Pre-Requisites for BitLocker Management
Before you deploy a BitLocker encryption policy through Zecurit, it is important to verify that your devices and environment meet the necessary prerequisites. Attempting to apply BitLocker encryption to devices that do not meet these requirements may result in policy failures, incomplete encryption, or user-facing errors.
This page outlines the hardware, operating system, Active Directory, and Zecurit-specific requirements for successful BitLocker deployment.
Operating System Requirements
BitLocker drive encryption is available only on specific Windows editions. Devices must be running one of the following operating systems for BitLocker policies to apply:
Windows 10 Pro, Enterprise, or Education (version 1703 or later recommended). Windows 11 Pro, Enterprise, or Education. Windows Server 2016, 2019, or 2022 (for server-side encryption where applicable).
BitLocker is not available on Windows 10 or 11 Home editions. Devices running Windows Home will not receive or apply BitLocker policies from Zecurit. If your device fleet includes Home edition devices, those machines should be excluded from BitLocker policy assignments, or the OS should be upgraded before deployment.
TPM (Trusted Platform Module) Requirements
For the most secure and user-transparent BitLocker experience, devices should have a TPM chip enabled. Zecurit supports the following TPM configurations:
TPM 1.2 — Supported for basic BitLocker encryption (TPM only mode). TPM 2.0 — Recommended. Provides stronger cryptographic algorithms and broader authentication option support including Enhanced PIN. Required for Windows 11.
To check whether a device has an active TPM, you or the user can open the Windows Run dialog, type tpm.msc, and view the TPM Management console. TPM must be enabled in the device’s BIOS/UEFI settings before BitLocker can use it.
Devices without a TPM chip can still be encrypted using Zecurit’s passphrase option. However, this requires the user to enter a passphrase at each startup, which is more disruptive than TPM-based automatic unlock.
Disk and Partition Requirements
The system drive must have at least two partitions for BitLocker to function correctly: a system partition (typically 500 MB or larger, unencrypted, used for boot) and the OS partition (the main C: drive that gets encrypted). Modern Windows installations create this partition structure by default during setup.
The OS drive must be formatted with NTFS. BitLocker cannot be applied to FAT32 or exFAT-formatted volumes.
The drive must have sufficient free space for BitLocker to create its metadata. At least 1.5 GB of free space on the OS drive is recommended.
Zecurit Agent Requirements
BitLocker policies are delivered and enforced through the Zecurit agent installed on each endpoint. Before applying a BitLocker policy, ensure the following:
The Zecurit agent is installed and active on the target device. The agent is version 2.0 or later (check the Zecurit console under device details for the agent version). The device has successfully checked in with the Zecurit cloud within the last 24 hours. The device is assigned to a device group in Zecurit.
Active Directory Requirements (for Recovery Key Backup)
If you enable the “Update recovery key to domain controller” option in your BitLocker policy, the target devices must meet the following Active Directory requirements:
The device must be joined to an Active Directory domain. The domain must have schema extensions to support BitLocker key storage (these are included by default in Windows Server 2008 R2 and later). The Zecurit agent must have sufficient permissions to write recovery key information to the AD object associated with the device. The AD domain controller must be reachable from the device at the time of key backup.
If devices are not domain-joined or if AD connectivity is unavailable, the recovery key backup will fail silently. Zecurit will flag these devices in the Recovery Key status report. It is strongly recommended to verify AD connectivity in your test environment before rolling out the recovery key backup option fleet-wide.
User and Administrator Account Requirements
BitLocker encryption is configured and enforced at the system level through the Zecurit agent — end users do not need administrator rights for the encryption itself to apply. However, if your policy requires users to set a passphrase, they will be prompted to do so at their next login.
Zecurit administrators who create and publish BitLocker profiles must have the Configuration Manager or Administrator role in Zecurit. Read-only users cannot create or modify policies.
Pre-Deployment Checklist
Before deploying your first BitLocker policy, confirm the following: All target devices are running a supported Windows edition (Pro, Enterprise, or Education). TPM is enabled in BIOS for TPM-dependent authentication modes. The Zecurit agent is installed, active, and up to date on all target devices. All devices are members of a configured device group in Zecurit. If using AD key backup, devices are domain-joined and AD connectivity is confirmed. You have tested the policy on a small pilot group before fleet-wide rollout.