Windows 10 Enterprise includes a disk encryption feature called BitLocker, which provides extra file and system protections against unauthorized access of a lost or stolen device. For more protection, you can use BitLocker with Trusted Platform Module (TPM) chips, version 1.2 or later. A TPM chip handles cryptographic operations and generates, stores, and limits the use of cryptographic keys.

Starting with Windows 10, build 1703, MDM policies can control BitLocker. You use the BitLocker device policy in XenMobile to configure the settings available in the BitLocker wizard on Windows 10 devices. For example, on a device with BitLocker enabled, BitLocker can prompt users for:

• How they want to unlock their drive at startup

• How to back up their recovery key

• How to unlock a fixed drive.

BitLocker device policy setting also configure whether to:

• Enable BitLocker on devices without a TPM chip.

• Show recovery options in the BitLocker interface.

• Deny write access to a fixed or removable drive when BitLocker isn't enabled.