diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7974e3a245..c8a2402878 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,89 +1,1085 @@ --- title: BitLocker CSP -description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. +description: Learn more about the BitLocker CSP. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/22/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/04/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # BitLocker CSP +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. > [!NOTE] -> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. > -> You must send all the settings together in a single SyncML to be effective. +> - Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. +> - You must send all the settings together in a single SyncML to be effective. A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). + + The following example shows the BitLocker configuration service provider in tree format. -```console -./Device/Vendor/MSFT -BitLocker -----RequireStorageCardEncryption -----RequireDeviceEncryption -----EncryptionMethodByDriveType -----IdentificationField -----SystemDrivesEnablePreBootPinExceptionOnDECapableDevice -----SystemDrivesEnhancedPIN -----SystemDrivesDisallowStandardUsersCanChangePIN -----SystemDrivesEnablePrebootInputProtectorsOnSlates -----SystemDrivesEncryptionType -----SystemDrivesRequireStartupAuthentication -----SystemDrivesMinimumPINLength -----SystemDrivesRecoveryMessage -----SystemDrivesRecoveryOptions -----FixedDrivesRecoveryOptions -----FixedDrivesRequireEncryption -----FixedDrivesEncryptionType -----RemovableDrivesRequireEncryption -----RemovableDrivesEncryptionType -----RemovableDrivesConfigureBDE -----AllowWarningForOtherDiskEncryption -----AllowStandardUserEncryption -----ConfigureRecoveryPasswordRotation -----RotateRecoveryPasswords -----Status ---------DeviceEncryptionStatus ---------RotateRecoveryPasswordsStatus ---------RotateRecoveryPasswordsRequestID +```text +./Device/Vendor/MSFT/BitLocker +--- AllowStandardUserEncryption +--- AllowWarningForOtherDiskEncryption +--- ConfigureRecoveryPasswordRotation +--- EncryptionMethodByDriveType +--- FixedDrivesEncryptionType +--- FixedDrivesRecoveryOptions +--- FixedDrivesRequireEncryption +--- IdentificationField +--- RemovableDrivesConfigureBDE +--- RemovableDrivesEncryptionType +--- RemovableDrivesExcludedFromEncryption +--- RemovableDrivesRequireEncryption +--- RequireDeviceEncryption +--- RequireStorageCardEncryption +--- RotateRecoveryPasswords +--- Status +------ DeviceEncryptionStatus +------ RemovableDrivesEncryptionStatus +------ RotateRecoveryPasswordsRequestID +------ RotateRecoveryPasswordsStatus +--- SystemDrivesDisallowStandardUsersCanChangePIN +--- SystemDrivesEnablePrebootInputProtectorsOnSlates +--- SystemDrivesEnablePreBootPinExceptionOnDECapableDevice +--- SystemDrivesEncryptionType +--- SystemDrivesEnhancedPIN +--- SystemDrivesMinimumPINLength +--- SystemDrivesRecoveryMessage +--- SystemDrivesRecoveryOptions +--- SystemDrivesRequireStartupAuthentication +``` + + + +## AllowStandardUserEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption +``` + + + + +Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. +"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. +If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user +is the current logged on user in the system. + +The expected values for this policy are: + +1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. +0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy +will not try to enable encryption on any drive. + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [AllowWarningForOtherDiskEncryptionDependency] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
| + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. | +| 1 | "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + 111 + + + ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption + + + int + + 0 + + +``` + + + + + +## AllowWarningForOtherDiskEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption +``` + + + + +Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) +and turn on encryption on the user machines silently. + +> [!WARNING] +> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will +require reinstallation of Windows. + +> [!NOTE] +> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. + +The expected values for this policy are + +1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed. +0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, +the value 0 only takes affect on Azure Active Directory joined devices. +Windows will attempt to silently enable BitLocker for value 0. + + + + + + +> [!NOTE] +> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. +> +> The endpoint for a fixed data drive's backup is chosen in the following order: +> +> 1. The user's Windows Server Active Directory Domain Services account. +> 2. The user's Azure Active Directory account. +> 3. The user's personal OneDrive (MDM/MAM only). +> +> Encryption will wait until one of these three locations backs up successfully. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. | +| 1 (Default) | Warning prompt allowed. | + + + + +**Example**: + +```xml + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + 0 + + +``` + + + + + +## ConfigureRecoveryPasswordRotation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation +``` + + + + +Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. +When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when +Active Directory back up for recovery password is configured to required. +For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" +For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" + +Supported Values: 0 - Numeric Recovery Passwords rotation OFF. +1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value +2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Refresh off (default). | +| 1 | Refresh on for Azure AD-joined devices. | +| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. | + + + + + + + + + +## EncryptionMethodByDriveType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType +``` + + + + +This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. + +- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). + +- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script." + + + + +> [!NOTE] +> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encryption method for the OS and removable drives, you will get a 500 return status. + +Data ID elements: + +- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. +- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. +- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. + +Sample value for this node to enable this policy and set the encryption methods is: + +```xml + + + + ``` + The possible values for 'xx' are: + +- 3 = AES-CBC 128 +- 4 = AES-CBC 256 +- 6 = XTS-AES 128 +- 7 = XTS-AES 256 + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**./Device/Vendor/MSFT/BitLocker** -Defines the root node for the BitLocker configuration service provider. - +**ADMX mapping**: -**RequireDeviceEncryption** - -Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption. - - +| Name | Value | +|:--|:--| +| Name | EncryptionMethodWithXts_Name | +| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +**Example**: - -Data type is integer. Sample value for this node to enable this policy: 1. -Supported operations are Add, Get, Replace, and Delete. +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType + + + chr + + + + +``` + + + + + +## FixedDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + +> [!NOTE] +> This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> +> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on fixed data drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | FDVEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## FixedDrivesRecoveryOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions +``` + + + + +This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. + +The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + +In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + +Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + +In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. + +Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + +> [!NOTE] +> If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated. + +- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. + +- If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. + + + + +Data ID elements: + +- FDVAllowDRA_Name: Allow data recovery agent +- FDVRecoveryPasswordUsageDropDown_Name and FDVRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information +- FDVHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard +- FDVActiveDirectoryBackup_Name: Save BitLocker recovery information to Active Directory Domain Services +- FDVActiveDirectoryBackupDropDown_Name: Configure storage of BitLocker recovery information to AD DS +- FDVRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives + +Sample value for this node to enable this policy is: + +```xml + + + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 0 = Disallowed +- 1 = Required +- 2 = Allowed + +The possible values for 'zz' are: + +- 1 = Store recovery passwords and key packages +- 2 = Store recovery passwords only + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVRecoveryUsage_Name | +| Friendly Name | Choose how BitLocker-protected fixed drives can be recovered | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | FDVRecovery | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + + + +``` + + + + + +## FixedDrivesRequireEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption +``` + + + + +This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. + +- If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + +- If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FDVDenyWriteAccess_Name | +| Friendly Name | Deny write access to fixed drives not protected by BitLocker | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Fixed Data Drives | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE | +| Registry Value Name | FDVDenyWriteAccess | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use hte following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + + + +``` + + + + + +## IdentificationField + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/IdentificationField +``` + + + + +This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. + +The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. + +You can configure the identification fields on existing drives by using [manage-bde](/windows-server/administration/windows-commands/manage-bde).exe. + +- If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. + +When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. + +- If you disable or do not configure this policy setting, the identification field is not required. + +> [!NOTE] +> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer. + + + + +Data ID elements: + +- IdentificationField: This is a BitLocker identification field. +- SecIdentificationField: This is an allowed BitLocker identification field. + +Sample value for this node to enable this policy is: + +```xml + + + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IdentificationField_Name | +| Friendly Name | Provide the unique identifiers for your organization | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | IdentificationField | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesConfigureBDE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesConfigureBDE +``` + + + + +This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. + +When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment). + +- If you do not configure this policy setting, users can use BitLocker on removable disk drives. + +- If you disable this policy setting, users cannot use BitLocker on removable disk drives. + + + + +Data ID elements: + +- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives. +- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives. + +Sample value for this node to enable this policy is: + +```xml + + + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVConfigureBDE | +| Friendly Name | Control use of BitLocker on removable drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | RDVConfigureBDE | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [BDEAllowed] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE`
Dependency Allowed Value Type: `ADMX`
| + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on removable data drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | RDVEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## RemovableDrivesExcludedFromEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesExcludedFromEncryption +``` + + + + +When enabled, allows you to exclude removable drives and devices connected over USB interface from [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption). Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + + + +## RemovableDrivesRequireEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption +``` + + + + +This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. + +- If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + +If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. + +- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. + +> [!NOTE] +> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored. + + + + +Data ID elements: + +- RDVCrossOrg: Deny write access to devices configured in another organization + +Sample value for this node to enable this policy is: + +```xml + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RDVDenyWriteAccess_Name | +| Friendly Name | Deny write access to removable drives not protected by BitLocker | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE | +| Registry Value Name | RDVDenyWriteAccess | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + + + +``` + + + + + +## RequireDeviceEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption +``` + + + + +Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. + +Sample value for this node to enable this policy: +1 + +Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. + + + + + +> [!NOTE] +> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device. The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives. @@ -95,13 +1091,32 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix - It must not be a system partition. - It must not be backed by virtual storage. - It must not have a reference in the BCD store. - -The following list shows the supported values: + -- 0 (default): Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes. -- 1: Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). - -If you want to disable this policy, use the following SyncML: + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. | +| 1 | Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). | + + + + +**Example**: + +To disable RequireDeviceEncryption: ```xml @@ -121,1283 +1136,201 @@ If you want to disable this policy, use the following SyncML: ``` + + + + + +## RequireStorageCardEncryption > [!NOTE] -> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device. +> This policy is deprecated and may be removed in a future release. - - -**EncryptionMethodByDriveType** - -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)* -- GP name: *EncryptionMethodWithXts_Name* -- GP path: *Windows Components/BitLocker Drive Encryption* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. - -If you enable this setting, you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511. - -If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script. - - Sample value for this node to enable this policy and set the encryption methods is: - -```xml - + +```Device +./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption ``` + -- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. -- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. -- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - - The possible values for 'xx' are: + + +Allows the Admin to require storage card encryption on the device. -- 3 = AES-CBC 128 -- 4 = AES-CBC 256 -- 6 = XTS-AES 128 -- 7 = XTS-AES 256 - -> [!NOTE] -> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status. +This policy is only valid for mobile SKU. +Sample value for this node to enable this policy: +1 - If you want to disable this policy, use the following SyncML: +Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - - - chr - - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Storage cards do not need to be encrypted. | +| 1 | Require storage cards to be encrypted. | + + + + + + + + + +## RotateRecoveryPasswords + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords ``` + -Data type is string. + + +Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. +This policy is Execute type and rotates all numeric passwords when issued from MDM tools. -Supported operations are Add, Get, Replace, and Delete. - - -**IdentificationField** - -Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. - - +The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." +- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives." +- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives." -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes: - - -ADMX Info: +- status\RotateRecoveryPasswordsStatus +- status\RotateRecoveryPasswordsRequestID -- GP Friendly name: *Provide the unique identifiers for your organization* -- GP name: *IdentificationField_Name* -- GP path: *Windows Components/BitLocker Drive Encryption* -- GP ADMX file name: *VolumeEncryption.admx* +Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ - - -This setting is used to establish an identifier that is applied to all encrypted drives in your organization. - -Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde): - -- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. - -- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations. - ->[!Note] ->When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. - -If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Data ID: - -- IdentificationField: This is a BitLocker identification field. -- SecIdentificationField: This is an allowed BitLocker identification field. - -If you disable or don't configure this setting, the identification field isn't required. - ->[!Note] ->Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. - - - - -**SystemDrivesEnablePreBootPinExceptionOnDECapableDevice** - -Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN* -- GP name: *EnablePreBootPinExceptionOnDECapableDevice_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware. - -If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the options of "Require additional authentication at startup" policy apply. - - - -**SystemDrivesEnhancedPIN** - -Allows users to configure whether or not enhanced startup PINs are used with BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Allow enhanced PINs for startup* -- GP name: *EnhancedPIN_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. - ->[!Note] ->Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. - -If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If you disable or don't configure this policy setting, enhanced PINs won't be used. - - - -**SystemDrivesDisallowStandardUsersCanChangePIN** - -Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Disallow standard users from changing the PIN or password* -- GP name: *DisallowStandardUsersCanChangePIN_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive. - ->[!Note] ->To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. - -If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords. - -If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords. - -Sample value for this node to disable this policy is: - -```xml - -``` - - - -**SystemDrivesEnablePrebootInputProtectorsOnSlates** - -Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enable use of BitLocker authentication requiring preboot keyboard input on slates* -- GP name: *EnablePrebootInputProtectorsOnSlates_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password. - -It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. - -When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. - ->[!Note] ->If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available: -> ->- Configure TPM startup PIN: Required and Allowed ->- Configure TPM startup key and PIN: Required and Allowed ->- Configure use of passwords for operating system drives - - - - -**SystemDrivesEncryptionType** - -Allows you to configure the encryption type that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on operating system drives* -- GP name: *OSEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting is applied when you turn on BitLocker. Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. - -Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - ->[!Note] ->This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. ->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. - -For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). - - - -**SystemDrivesRequireStartupAuthentication** - -This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup". - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Require additional authentication at startup* -- GP name: *ConfigureAdvancedStartup_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. - -> [!NOTE] -> Only one of the additional authentication options is required at startup, otherwise an error occurs. - -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive. - -On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. - -> [!NOTE] -> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits. - -If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. - -If you disable or don't configure this setting, users can configure only basic options on computers with a TPM. - -> [!NOTE] -> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. - -> [!NOTE] -> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Data ID: - -- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). -- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key. -- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN. -- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN. -- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup. - - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Optional -- 1 = Required -- 0 = Disallowed - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -**SystemDrivesMinimumPINLength** - -This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup". - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Configure minimum PIN length for startup* -- GP name: *MinimumPINLength_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits. - -> [!NOTE] -> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. -> ->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2. - -If you enable this setting, you will require a minimum number of digits to set the startup PIN. - -If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits. - -Sample value for this node to enable this policy is: - -```xml - -``` - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - - -**SystemDrivesRecoveryMessage** - -This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL" -(PrebootRecoveryInfo_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Configure pre-boot recovery message and URL* -- GP name: *PrebootRecoveryInfo_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. - -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). - -If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. - -If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- 0 = Empty -- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). -- 2 = Custom recovery message is set. -- 3 = Custom recovery URL is set. -- 'yy' = string of max length 900. -- 'zz' = string of max length 500. - -> [!NOTE] -> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - - - -``` - -> [!NOTE] -> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**SystemDrivesRecoveryOptions** - -This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose how BitLocker-protected operating system drives can be recovered* -- GP name: *OSRecoveryUsage_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Operating System Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker. - -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). - -In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. - -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. - -Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. - -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. - -> [!NOTE] -> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. - -If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. - -If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Allowed -- 1 = Required -- 0 = Disallowed - -The possible values for 'zz' are: - -- 2 = Store recovery passwords only. -- 1 = Store recovery passwords and key packages. - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesRecoveryOptions** - -This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Choose how BitLocker-protected fixed drives can be recovered* -- GP name: *FDVRecoveryUsage_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. - -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). - -In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. - -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. - -Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. - -Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. - -Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. - -> [!NOTE] -> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. - -If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. - -If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - -The possible values for 'yy' are: - -- 2 = Allowed -- 1 = Required -- 0 = Disallowed - -The possible values for 'zz' are: - -- 2 = Store recovery passwords only -- 1 = Store recovery passwords and key packages - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesRequireEncryption** - -This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Deny write access to fixed drives not protected by BitLocker* -- GP name: *FDVDenyWriteAccess_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. - -If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - - - -``` - -Data type is string. - -Supported operations are Add, Get, Replace, and Delete. - - -**FixedDrivesEncryptionType** - -Allows you to configure the encryption type on fixed data drives that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on fixed data drives* -- GP name: *FDVEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Fixed Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection is displayed to the user. - -Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - ->[!Note] ->This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. ->For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. - -For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). - - - -**RemovableDrivesRequireEncryption** - -This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Deny write access to removable drives not protected by BitLocker* -- GP name: *RDVDenyWriteAccess_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removeable Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. - -If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. - -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. - -If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access. - -> [!NOTE] -> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. - -Sample value for this node to enable this policy is: - -```xml - -``` - -The possible values for 'xx' are: - -- true = Explicitly allow -- false = Policy not set - - -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - - - -``` - - -**RemovableDrivesEncryptionType** - -Allows you to configure the encryption type that is used by BitLocker. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Enforce drive encryption type on removable data drives* -- GP name: *RDVEncryptionType_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - - -This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. - -Changing the encryption type will no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. - -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. - -Sample value for this node to enable this policy is: - -```xml - -``` - -If this policy is disabled or not configured, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. - - - -**RemovableDrivesConfigureBDE** - -Allows you to control the use of BitLocker on removable data drives. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -ADMX Info: - -- GP Friendly name: *Control use of BitLocker on removable drives* -- GP name: *RDVConfigureBDE_Name* -- GP path: *Windows Components/BitLocker Drive Encryption/Removable Data Drives* -- GP ADMX file name: *VolumeEncryption.admx* - - -This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker. - -For information about suspending BitLocker protection, see [BitLocker Basic Deployment](/windows/security/information-protection/bitlocker/bitlocker-basic-deployment) . - -The options for choosing property settings that control how users can configure BitLocker are: - -- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on removable data drives. -- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. - -If you enable this policy setting, you can select property settings that control how users can configure BitLocker. - -Sample value for this node to enable this policy is: - -```xml - -``` -Data ID: - -- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives -- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives - -If this policy is disabled, users can't use BitLocker on removable disk drives. - -If you don't configure this policy setting, users can use BitLocker on removable disk drives. - - - -**AllowWarningForOtherDiskEncryption** - -Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1. - -> [!IMPORTANT] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview). - -> [!Warning] -> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -The following list shows the supported values: - -- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. Windows will attempt to silently enable BitLocker for value 0. -- 1 (default) – Warning prompt allowed. - -```xml - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - 0 - - -``` - -> [!NOTE] ->When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. -> ->The endpoint for a fixed data drive's backup is chosen in the following order: -> - >1. The user's Windows Server Active Directory Domain Services account. - >2. The user's Azure Active Directory account. - >3. The user's personal OneDrive (MDM/MAM only). -> ->Encryption will wait until one of these three locations backs up successfully. - - -**AllowStandardUserEncryption** - -Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user of Azure AD account. - - -> [!NOTE] -> This policy is only supported in Azure AD accounts. - -"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. - -If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -The expected values for this policy are: - -- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. -- 0 = This value is the default value, when the policy isn't set. If the current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive. - -If you want to disable this policy, use the following SyncML: - -```xml - - 111 - - - ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption - - - int - - 0 - - -``` - - - - -**ConfigureRecoveryPasswordRotation** - - -This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. - - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -Value type is int. - -Supported operations are Add, Delete, Get, and Replace. - - - -Supported values are: - -- 0 – Refresh off (default). -- 1 – Refresh on for Azure AD-joined devices. -- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices. - - - - - - -**RotateRecoveryPasswords** - - - -This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate. - - -The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. - -Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request. - -Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh. - -Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. - -Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request. -- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed. -- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -Value type is string. - -Supported operation is Execute. Request ID is expected as a parameter. + + + > [!NOTE] > Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype). -> - windowsAzureADJoin. -> - windowsBulkAzureDomainJoin. -> - windowsAzureADJoinUsingDeviceAuth. -> - windowsCoManagement. +> +> - windowsAzureADJoin. +> - windowsBulkAzureDomainJoin. +> - windowsAzureADJoinUsingDeviceAuth. +> - windowsCoManagement. > [!TIP] > Key rotation feature will only work when: > > - For Operating system drives: -> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required"). -> - OSActiveDirectoryBackup_Name is set to true. +> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required"). +> - OSActiveDirectoryBackup_Name is set to true. +> > - For Fixed data drives: -> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required"). -> - FDVActiveDirectoryBackup_Name is set to true. +> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required"). +> - FDVActiveDirectoryBackup_Name is set to true. + -**Status** -Interior node. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Exec | + - + + + - -**Status/DeviceEncryptionStatus** - + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### Status/DeviceEncryptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status/DeviceEncryptionStatus +``` + + + + This node reports compliance state of device encryption on the system. - - +Value '0' means the device is compliant. Any other value represents a non-compliant device. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - - -Value type is int. - -Supported operation is Get. - -Supported values: - -- 0 - Indicates that the device is compliant. -- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: + + +This value represents a bitmask with each bit and the corresponding error code described in the following table: | Bit | Error Code | |-----|------------| @@ -1418,70 +1351,930 @@ Supported values: | 14 |The TPM isn't ready for BitLocker.| | 15 |The network isn't available, which is required for recovery key backup. | | 16-31 |For future use.| + - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + - + + + -**Status/RotateRecoveryPasswordsStatus** - + -This node reports the status of RotateRecoveryPasswords request. - + +### Status/RemovableDrivesEncryptionStatus -Status code can be one of the following values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -- 2 – Not started -- 1 - Pending -- 0 - Pass -- Any other code - Failure HRESULT - + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RemovableDrivesEncryptionStatus +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings. + - + + + -Value type is int. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + - + + + - + -**Status/RotateRecoveryPasswordsRequestID** + +### Status/RotateRecoveryPasswordsRequestID - -This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. -This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsRequestID +``` + - + + +This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. +This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus +To ensure the status is correctly matched to the request ID. + -Value type is string. + + + -Supported operation is Get. + +**Description framework properties**: -### SyncML example +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Status/RotateRecoveryPasswordsStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/Status/RotateRecoveryPasswordsStatus +``` + + + + +This Node reports the status of RotateRecoveryPasswords request. +Status code can be one of the following: +NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +## SystemDrivesDisallowStandardUsersCanChangePIN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesDisallowStandardUsersCanChangePIN +``` + + + + +This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. + +This policy setting is applied when you turn on BitLocker. + +- If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. + +- If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords. + + + + +> [!NOTE] +> To change the PIN or password, the user must be able to provide the current PIN or password. + +Sample value for this node to disable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisallowStandardUsersCanChangePIN_Name | +| Friendly Name | Disallow standard users from changing the PIN or password | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | DisallowStandardUserPINReset | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnablePrebootInputProtectorsOnSlates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePrebootInputProtectorsOnSlates +``` + + + + +This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. + +The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. + +- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard). + +- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + +**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include +- Configure TPM startup PIN Required/Allowed +- Configure TPM startup key and PIN Required/Allowed +- Configure use of passwords for operating system drives. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePrebootInputProtectorsOnSlates_Name | +| Friendly Name | Enable use of BitLocker authentication requiring preboot keyboard input on slates | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | OSEnablePrebootInputProtectorsOnSlates | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnablePreBootPinExceptionOnDECapableDevice +``` + + + + +This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware. + +- If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. + +- If this policy is not enabled, the options of "Require additional authentication at startup" policy apply. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnablePreBootPinExceptionOnDECapableDevice_Name | +| Friendly Name | Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | OSEnablePreBootPinExceptionOnDECapableDevice | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEncryptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEncryptionType +``` + + + + +This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + +- If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + +Sample value for this node to enable this policy is: + +```xml + +``` + +Possible values: + +- 0: Allow user to choose. +- 1: Full encryption. +- 2: Used space only encryption. + +>[!NOTE] +> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. +> For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. +> +> For more information about the tool to manage BitLocker, see [manage-bde](/windows-server/administration/windows-commands/manage-bde). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OSEncryptionType_Name | +| Friendly Name | Enforce drive encryption type on operating system drives | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | OSEncryptionType | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesEnhancedPIN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesEnhancedPIN +``` + + + + +This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. + +Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. + +- If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. + +> [!NOTE] +> Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. + +- If you disable or do not configure this policy setting, enhanced PINs will not be used. + + + + +Sample value for this node to enable this policy is: `` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnhancedPIN_Name | +| Friendly Name | Allow enhanced PINs for startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| Registry Value Name | UseEnhancedPin | +| ADMX File Name | VolumeEncryption.admx | + + + + + + + + + +## SystemDrivesMinimumPINLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength +``` + + + + +This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + +- If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. + +- If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. + +NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. + + + + +> [!NOTE] +> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. + +Sample value for this node to enable this policy is: + +```xml + +``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MinimumPINLength_Name | +| Friendly Name | Configure minimum PIN length for startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + + + +``` + + + + + +## SystemDrivesRecoveryMessage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage +``` + + + + +This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. + +If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the "Use default recovery message and URL" option. + +If you select the "Use custom recovery message" option, the message you type in the "Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. + +If you select the "Use custom recovery URL" option, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. + +> [!NOTE] +> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + + + + +Data ID elements: + +- PrebootRecoveryInfoDropDown_Name: Select an option for the pre-boot recovery message. +- RecoveryMessage_Input: Custom recovery message +- RecoveryUrl_Input: Custom recovery URL + +Sample value for this node to enable this policy is: + +```xml + + + + +``` + +The possible values for 'xx' are: + +- 0 = Empty +- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). +- 2 = Custom recovery message is set. +- 3 = Custom recovery URL is set. + +The possible value for 'yy' and 'zz' is a string of max length 900 and 500 respectively. + +> [!NOTE] +> +> - When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. +> - Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrebootRecoveryInfo_Name | +| Friendly Name | Configure pre-boot recovery message and URL | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | Software\Policies\Microsoft\FVE | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + + + +``` + + + + + +## SystemDrivesRecoveryOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions +``` + + + + +This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. + +The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + +In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + +Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + +In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. + +Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + +> [!NOTE] +> If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated. + +- If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. + +- If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. + + + + +Data ID elements: + +- OSAllowDRA_Name: Allow certificate-based data recovery agent +- OSRecoveryPasswordUsageDropDown_Name and OSRecoveryKeyUsageDropDown_Name: Configure user storage of BitLocker recovery information +- OSHideRecoveryPage_Name: Omit recovery options from the BitLocker setup wizard +- OSActiveDirectoryBackup_Name and OSActiveDirectoryBackupDropDown_Name: Save BitLocker recovery information to Active Directory Domain Services +- OSRequireActiveDirectoryBackup_Name: Do not enable BitLocker until recovery information is stored in AD DS for operating system drives + +Sample value for this node to enable this policy is: + +```xml + + + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 0 = Disallowed +- 1 = Required +- 2 = Allowed + +The possible values for 'zz' are: + +- 1 = Store recovery passwords and key packages. +- 2 = Store recovery passwords only. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OSRecoveryUsage_Name | +| Friendly Name | Choose how BitLocker-protected operating system drives can be recovered | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | OSRecovery | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + + + +``` + + + + + +## SystemDrivesRequireStartupAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication +``` + + + + +This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. + +> [!NOTE] +> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. + +If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. + +On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. + +- If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. + +- If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. + +> [!NOTE] +> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard. + + + + +> [!NOTE] +> +> - In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits. +> - Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. +Data ID elements: + +- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). +- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key. +- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN. +- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN. +- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup. + +Sample value for this node to enable this policy is: + +```xml + + + + + + +``` + +The possible values for 'xx' are: + +- true = Explicitly allow +- false = Policy not set + +The possible values for 'yy' are: + +- 2 = Optional +- 1 = Required +- 0 = Disallowed + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureAdvancedStartup_Name | +| Friendly Name | Require additional authentication at startup | +| Location | Computer Configuration | +| Path | Windows Components > BitLocker Drive Encryption > Operating System Drives | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | +| Registry Value Name | UseAdvancedStartup | +| ADMX File Name | VolumeEncryption.admx | + + + + +**Example**: + +To disable this policy, use the following SyncML: + +```xml + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + + + +``` + + + + + + +## SyncML example The following example is provided to show proper format and shouldn't be taken as a recommendation. @@ -1644,9 +2437,10 @@ The following example is provided to show proper format and shouldn't be taken a ``` + - + -## Related topics +## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 5c397b3bce..081ef8b6f2 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,63 +1,65 @@ --- title: BitLocker DDF file -description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. +description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/22/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/30/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + # BitLocker DDF file -This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is the current version for this CSP. +The following XML file contains the device description framework (DDF) for the BitLocker configuration service provider. ```xml -]> +]> 1.2 - - BitLocker - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/5.0/MDM/BitLocker - - - - - RequireStorageCardEncryption - - - - - - - - Allows the Admin to require storage card encryption on the device. + + + + BitLocker + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + 10.0.15063 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + RequireStorageCardEncryption + + + + + + + + 0 + Allows the Admin to require storage card encryption on the device. The format is integer. This policy is only valid for mobile SKU. Sample value for this node to enable this policy: @@ -65,99 +67,89 @@ The XML below is the current version for this CSP. Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - - 100 - - - ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - RequireDeviceEncryption - - - - - - - - Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. + 100./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryptionint0 + + + + + + + + + + + + + + + 0 + Storage cards do not need to be encrypted. + + + 1 + Require storage cards to be encrypted. + + + + + + + RequireDeviceEncryption + + + + + + + + 0 + Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. The format is integer. Sample value for this node to enable this policy: 1 Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - - 101 - - - ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - EncryptionMethodByDriveType - - - - - - - - This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. + 101./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryptionint0 + + + + + + + + + + + + + + + 0 + Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. + + + 1 + Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on AllowWarningForOtherDiskEncryption policy). + + + + + + EncryptionMethodByDriveType + + + + + + + + This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” The format is string. Sample value for this node to enable this policy and set the encryption methods is: - <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/> + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. @@ -170,48 +162,37 @@ The XML below is the current version for this CSP. 7 = XTS-AES 256 If you want to disable this policy use the following SyncML: - - 102 - - - ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - - - chr - - <disabled/> - - + 102./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveTypechr Note: Maps to GP EncryptionMethodWithXts_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory - EncryptionMethodWithXts_Name - - - - SystemDrivesRequireStartupAuthentication - - - - - - - - This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + SystemDrivesRequireStartupAuthentication + + + + + + + + This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both. @@ -220,7 +201,7 @@ The XML below is the current version for this CSP. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/> + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) All of the below settings are for computers with a TPM. @@ -240,106 +221,84 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 103 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - - - chr - - <disabled/> - - + 103./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthenticationchr Note: Maps to GP ConfigureAdvancedStartup_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - ConfigureAdvancedStartup_Name - - - - SystemDrivesMinimumPINLength - - - - - - - - This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + + + + + + + + + + + + + + + + + + + SystemDrivesMinimumPINLength + + + + + + + + This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="MinPINLength" value="xx"/> + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 104 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - <disabled/> - - + 104./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLengthchr Note: Maps to GP MinimumPINLength_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - MinimumPINLength_Name - - - - SystemDrivesRecoveryMessage - - - - - - - - This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. + + + + + + + + + + + + + + + + + + + SystemDrivesRecoveryMessage + + + + + + + + This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/> + The possible values for 'xx' are: 0 = Empty @@ -351,48 +310,37 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 105 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - <disabled/> - - + 105./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessagechr Note: Maps to GP PrebootRecoveryInfo_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - PrebootRecoveryInfo_Name - - - - SystemDrivesRecoveryOptions - - - - - - - - This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + SystemDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. @@ -403,7 +351,7 @@ The XML below is the current version for this CSP. If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -420,48 +368,37 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 106 - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - <disabled/> - - + 106./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptionschr Note: Maps to GP OSRecoveryUsage_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory - OSRecoveryUsage_Name - - - - FixedDrivesRecoveryOptions - - - - - - - - This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + + + + + + + + + + FixedDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. @@ -472,7 +409,7 @@ The XML below is the current version for this CSP. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -489,105 +426,83 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 107 - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - <disabled/> - - + 107./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptionschr Note: Maps to GP FDVRecoveryUsage_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory - FDVRecoveryUsage_Name - - - - FixedDrivesRequireEncryption - - - - - - - - This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. + + + + + + + + + + + + + + + + + + + FixedDrivesRequireEncryption + + + + + + + + This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. The format is string. Sample value for this node to enable this policy is: - <enabled/> + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 108 - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - <disabled/> - - + 108./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryptionchr Note: Maps to GP FDVDenyWriteAccess_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory - FDVDenyWriteAccess_Name - - - - RemovableDrivesRequireEncryption - - - - - - - - This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. + + + + + + + + + + + + + + + + + + + RemovableDrivesRequireEncryption + + + + + + + + This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. The format is string. Sample value for this node to enable this policy is: - <enabled/><data id="RDVCrossOrg" value="xx"/> + The possible values for 'xx' are: true = Explicitly allow @@ -595,48 +510,73 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - - 109 - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - <disabled/> - - + 109./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryptionchr Note: Maps to GP RDVDenyWriteAccess_Name policy. - - - - - - - - - - - text/plain - - VolumeEncryption.admx - VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory - RDVDenyWriteAccess_Name - - - - AllowWarningForOtherDiskEncryption - - - - - - - - Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) + + + + + + + + + + + + + + + + + + + RemovableDrivesExcludedFromEncryption + + + + + + + + When enabled, allows you to exclude removable drives and devices connected over USB interface from BitLocker Device Encryption. Excluded devices cannot be encrypted, even manually. Additionally, if "Deny write access to removable drives not protected by BitLocker" is configured, user will not be prompted for encryption and drive will be mounted in read/write mode. Provide a comma separated list of excluded removable drives\devices, using the Hardware ID of the disk device. Example USBSTOR\SEAGATE_ST39102LW_______0004. + + + + + + + + + + + + + + + + + 10.0.22000 + 5.0 + + + + + LastWrite + + + + AllowWarningForOtherDiskEncryption + + + + + + + + 1 + Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) and turn on encryption on the user machines silently. Warning: When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. @@ -646,51 +586,46 @@ The XML below is the current version for this CSP. 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, - the value 0 only takes affect on Azure Active Directory-joined devices. + the value 0 only takes affect on Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. If you want to disable this policy use the following SyncML: - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - AllowStandardUserEncryption - - - - - - - - Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. + 110./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryptionint0 + + + + + + + + + + + + + + + 0 + Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. + + + 1 + Warning prompt allowed. + + + + + + AllowStandardUserEncryption + + + + + + + + 0 + Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. @@ -702,100 +637,107 @@ The XML below is the current version for this CSP. will not try to enable encryption on any drive. If you want to disable this policy use the following SyncML: - - 111 - - - ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - - ConfigureRecoveryPasswordRotation - - - - - - - - Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Azure Active Directory and Hybrid domain joined devices. - When not configured, Rotation is turned on by default for Azure AD only and off on Hybrid. The Policy will be effective only when + 111./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryptionint0 + + + + + + + + + + + + + + 10.0.17763 + 3.0 + + + + 0 + This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. + + + 1 + "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. + + + + + + Device/Vendor/MSFT/Bitlocker/AllowWarningForOtherDiskEncryption + + [0] + + + + + + + + ConfigureRecoveryPasswordRotation + + + + + + + + 0 + Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. + When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" Supported Values: 0 - Numeric Recovery Passwords rotation OFF. - 1 - Numeric Recovery Passwords Rotation upon use ON for Azure Active Directory-joined devices. Default value - 2 - Numeric Recovery Passwords Rotation upon use ON for both Azure AD and Hybrid devices + 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value + 2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices If you want to disable this policy use the following SyncML: - - 112 - - - ./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation - - - int - - 0 - - - - - - - - - - - - - - text/plain - - - - - - - - - - - RotateRecoveryPasswords - - - - - Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. + 112./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotationint0 + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + 0 + Refresh off (default) + + + 1 + Refresh on for Azure AD-joined devices + + + 2 + Refresh on for both Azure AD-joined and hybrid-joined devices + + + + + + RotateRecoveryPasswords + + + + + Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. This policy is Execute type and rotates all numeric passwords when issued from MDM tools. The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." @@ -811,133 +753,522 @@ The policy only comes into effect when Active Directory backup for a recovery pa Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ - - 113 - - - ./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords - - - chr - - <RequestID/> - - - - - - - - - - - - - - text/plain - + 113./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswordschr + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + Status + + + + + + + + + + + + + + + + + + 10.0.18362 + 4.0 + + + + DeviceEncryptionStatus + + + + + This node reports compliance state of device encryption on the system. + Value '0' means the device is compliant. Any other value represents a non-compliant device. + + + + + + + + + + + + + - - - - Status - - - - - - - - - - - - - - - - - - - DeviceEncryptionStatus - - - - - This node reports compliance state of device encryption on the system. - Value '0' means the device is compliant. Any other value represents a non-compliant device. - - - - - - - - - - - - text/plain - - - - - - RotateRecoveryPasswordsStatus - - - - - This Node reports the status of RotateRecoveryPasswords request. - Status code can be one of the following: - NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure - - - - - - - - - - - - - text/plain - - - - - - RotateRecoveryPasswordsRequestID - - - - - This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. - This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus - To ensure the status is correctly matched to the request ID. - - - - - - - - - - - - - text/plain - - - - + + RotateRecoveryPasswordsStatus + + + + + This Node reports the status of RotateRecoveryPasswords request. + Status code can be one of the following: + NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure + + + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + RotateRecoveryPasswordsRequestID + + + + + This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. + This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus + To ensure the status is correctly matched to the request ID. + + + + + + + + + + + + + + + + 10.0.18363 + 5.0 + + + + + RemovableDrivesEncryptionStatus + + + + + This node reports compliance state of removal drive encryption. "0" Value means the removal drive is encrypted following all set removal drive settings. + + + + + + + + + + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + IdentificationField + + + + + + + + + This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. + The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. + You can configure the identification fields on existing drives by using manage-bde.exe. + If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. + When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. + If you disable or do not configure this policy setting, the identification field is not required. + + Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer. + + + + + + + + + + + + IdentificationField + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + FixedDrivesEncryptionType + + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + + + + + + + + FixedDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnhancedPIN + + + + + + + + + This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. + Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. + If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. + Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. + If you disable or do not configure this policy setting, enhanced PINs will not be used. + + + + + + + + + + + SystemDrivesEnhancedPIN + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesDisallowStandardUsersCanChangePIN + + + + + + + + + This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. + This policy setting is applied when you turn on BitLocker. + If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. + If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords. + + + + + + + + + + + SystemDrivesDisallowStandardUsersCanChangePIN + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnablePrebootInputProtectorsOnSlates + + + + + + + + + This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. + + The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. + If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard). + If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + + Note that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include: + - Configure TPM startup PIN: Required/Allowed + - Configure TPM startup key and PIN: Required/Allowed + - Configure use of passwords for operating system drives. + + + + + + + + + + + SystemDrivesEnablePrebootInputProtectorsOnSlates + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEncryptionType + + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. + If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker. + + + + + + + + + + + SystemDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + + + + + + + + This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware. + If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. + If this policy is not enabled, the options of "Require additional authentication at startup" policy apply. + + + + + + + + + + + SystemDrivesEnablePreBootPinExceptionOnDECapableDevice + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + RemovableDrivesConfigureBDE + + + + + + + + This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. + + + + + + + + + + RemovableDrivesConfigureBDE + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + LastWrite + + + + RemovableDrivesEncryptionType + + + + + + + + This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. + + + + + + + + + + RemovableDrivesEncryptionType + + + + + 10.0.22000, 10.0.19043.1202, 10.0.19042.1202, 10.0.19041.1202 + 5.0 + + + + + + + + + + + + Device/Vendor/MSFT/Bitlocker/RemovableDrivesConfigureBDE + + + + + + + LastWrite + + + ``` -## Related topics +## Related articles -[BitLocker configuration service provider](bitlocker-csp.md) +[BitLocker configuration service provider reference](bitlocker-csp.md)