Skip to main content



Full Disk Encryption on Microsoft Surface devices

This section describes how to troubleshoot Full Disk Encryption on Microsoft Surface devices.

Full Disk Encryption is a GravityZone feature designed to keep safe your sensitive data by providing central management of Windows BitLocker and macOS FileVault and diskutil.


When Full Disk Encryption is enabled on Microsoft Surface devices, the users may be repeatedly prompted to enter a PIN to start the encryption process. In this case, the PIN is not saved and the drives are not encrypted.


To address this issue, you have to enable BitLocker authentication for devices that lack keyboards in the preboot environment (such as tablets), in the Policy Group settings:

  1. Open the Search box and execute gpedit.msc. The Local Group Policy Editor window shows up.

  2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

  3. Click to edit the setting Enable use of BitLocker authentication requiring preboot keyboard input on slates.

  4. Select Enabled, click Apply, then click OK.

Additional information about Full Disk Encryption in GravityZone is available here.

Allow full disk access to Bitdefender Endpoint Security Tools in macOS Mojave (10.14) and later

Starting with macOS Mojave (10.14), Apple has introduced certain privacy protections that by default block applications’ access to specific system application folders and resources, such as Mail, Messages, Safari, Time Machine backups.

In order for Bitdefender Endpoint Security Tools to scan such protected folders, the user must allow full disk access for the BDLDaemon or, and Bitdefender Endpoint Security Tools application files. Otherwise, modules such as Advanced Threat Control, Antimalware On-Access, and Endpoint Detection and Response do not work properly. The Bitdefender Endpoint Security Tools user interface will show a critical issue until access is granted.


On systems running macOS Mojave (10.14), the Bitdefender Endpoint Security Tools user interface displays a critical issue prompting the user to add the following application files to the Full Disk Access list in the Security & Privacy > Privacy.

On macOS Mojave (10.14) and Catalina (10.15), the following files require full disk access:

  • BDLDaemon


On macOS Big Sur (11.x) and later, the following files require full disk access:




In case of a network with various macOS versions, it is recommended to allow all BDLDaemon,, and files.

The path to these files is /Library/Bitdefender/AVP for the version 7.4 of the product and /Library/Bitdefender/AVP/product/bin/ for the version 7.6.


To allow full disk access to the Bitdefender Endpoint Security Tools files and fix the issue:

  1. In the View Issues window, click the Open Privacy button to go to the Security & Privacy window > Privacy tab > Full Disk Access folder.

  2. Click the lock to make changes and enter an administrator password.

  3. Click the + button to manually add the, BDLDaemon and files to the Full Disk Access list.



  • The above steps apply for Bitdefender Endpoint Security Tools and later.

  • To be fully functional, Bitdefender Endpoint Security Tools also requires kernel extension approval in macOS High Sierra (10.13), Mojave (10.14), and Catalina (10.15). For details, refer to this topic.

  • In macOS Big Sur (11.x), Apple replaced kernel extensions with a new generation of system extensions. To accommodate this change, Bitdefender Endpoint Security Tools requires additional approvals from users. For details, refer to this topic.

  • For details on how to configure Jamf Pro for macOS Big Sur 11.0 and later, including system extensions, traffic proxy and full disk access, refer to this topic.