mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 12:53:38 +00:00
updates
This commit is contained in:
Paolo Matarazzo
@ -1,11 +1,11 @@
|
||||
---
|
||||
title: BitLocker configuration
|
||||
title: Configure BitLocker
|
||||
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
|
||||
ms.topic: how-to
|
||||
ms.date: 10/03/2023
|
||||
---
|
||||
|
||||
# BitLocker configuration
|
||||
# Configure BitLocker
|
||||
|
||||
To configure BitLocker, you can use one of the following options:
|
||||
|
||||
@ -43,8 +43,143 @@ To learn more about options to configure BitLocker via Microsoft Configuration M
|
||||
> [!TIP]
|
||||
> Organizations that image their device using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE), and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, an organization could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
## BitLocker policy settings
|
||||
|
||||
### Configure and manage servers
|
||||
This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
|
||||
|
||||
### Policy settings list
|
||||
|
||||
The list of settings is sorted alphabetically and organized in four categories:
|
||||
|
||||
- **Common settings**: settings applicable to all BitLocker-protected drives
|
||||
- **Operating system drive**: settings applicable to the drive where Windows is installed
|
||||
- **Fixed data drives**: settings applicable to any local drives, except the operating system drive
|
||||
- **Removable data drives**: settings applicable to any removable drives
|
||||
|
||||
Select one of the tabs to see the list of available settings:
|
||||
|
||||
#### [:::image type="icon" source="images/locked-drive.svg"::: **Common settings**](#tab/common)
|
||||
|
||||
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
|
||||
|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
|
||||
|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
|
||||
|[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
|
||||
|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
|
||||
|[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
|
||||
|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
|
||||
|[Require device encryption](#require-device-encryption)|✅|❌|
|
||||
|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
|
||||
|
||||
[!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
|
||||
[!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
|
||||
[!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
|
||||
[!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
|
||||
[!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
|
||||
[!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
|
||||
[!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
|
||||
[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
|
||||
[!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN](#allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-preboot-pin)|✅|✅|
|
||||
|[Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)|✅|✅|
|
||||
|[Allow network unlock at startup](#allow-network-unlock-at-startup)|❌|✅|
|
||||
|[Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)|❌|✅|
|
||||
|[Allow Warning For Other Disk Encryption](#allow-warning-for-other-disk-encryption)|✅|❌|
|
||||
|[Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)|✅|✅|
|
||||
|[Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)|✅|✅|
|
||||
|[Configure pre-boot recovery message and URL](#configure-preboot-recovery-message-and-url)|✅|✅|
|
||||
|[Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)|❌|✅|
|
||||
|[Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)|❌|✅|
|
||||
|[Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)|❌|✅|
|
||||
|[Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)|❌|✅|
|
||||
|[Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)|✅|✅|
|
||||
|[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅|
|
||||
|[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅|
|
||||
|[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅|
|
||||
|[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅|
|
||||
|[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅|
|
||||
|
||||
[!INCLUDE [allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin](includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md)]
|
||||
[!INCLUDE [allow-enhanced-pins-for-startup](includes/allow-enhanced-pins-for-startup.md)]
|
||||
[!INCLUDE [allow-network-unlock-at-startup](includes/allow-network-unlock-at-startup.md)]
|
||||
[!INCLUDE [allow-secure-boot-for-integrity-validation](includes/allow-secure-boot-for-integrity-validation.md)]
|
||||
[!INCLUDE [allow-warning-for-other-disk-encryption](includes/allow-warning-for-other-disk-encryption.md)]
|
||||
[!INCLUDE [choose-how-bitlocker-protected-operating-system-drives-can-be-recovered](includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-minimum-pin-length-for-startup](includes/configure-minimum-pin-length-for-startup.md)]
|
||||
[!INCLUDE [configure-pre-boot-recovery-message-and-url](includes/configure-pre-boot-recovery-message-and-url.md)]
|
||||
[!INCLUDE [configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md)]
|
||||
[!INCLUDE [configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-operating-system-drives](includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-operating-system-drives](includes/configure-use-of-passwords-for-operating-system-drives.md)]
|
||||
[!INCLUDE [disallow-standard-users-from-changing-the-pin-or-password](includes/disallow-standard-users-from-changing-the-pin-or-password.md)]
|
||||
[!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)]
|
||||
[!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)]
|
||||
[!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)]
|
||||
[!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Fixed data drives**](#tab/fixed)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)|✅|✅|
|
||||
|[Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)|❌|✅|
|
||||
|[Configure use of passwords for fixed data drives](#configure-use-of-passwords-for-fixed-data-drives)|❌|✅|
|
||||
|[Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)|❌|✅|
|
||||
|[Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)|✅|✅|
|
||||
|[Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)|✅|✅|
|
||||
|
||||
[!INCLUDE [choose-how-bitlocker-protected-fixed-drives-can-be-recovered](includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-fixed-data-drives](includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-fixed-data-drives](includes/configure-use-of-passwords-for-fixed-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-smart-cards-on-fixed-data-drives](includes/configure-use-of-smart-cards-on-fixed-data-drives.md)]
|
||||
[!INCLUDE [deny-write-access-to-fixed-drives-not-protected-by-bitlocker](includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-fixed-data-drives](includes/enforce-drive-encryption-type-on-fixed-data-drives.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Removable data drives**](#tab/removable)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)|❌|✅|
|
||||
|[Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)|❌|✅|
|
||||
|[Configure use of passwords for removable data drives](#configure-use-of-passwords-for-removable-data-drives)|❌|✅|
|
||||
|[Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)|❌|✅|
|
||||
|[Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)|✅|✅|
|
||||
|[Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)|✅|✅|
|
||||
|[Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)|✅|✅|
|
||||
|[Removable Drives Excluded From Encryption](#removable-drives-excluded-from-encryption)|✅|❌|
|
||||
|
||||
[!INCLUDE [choose-how-bitlocker-protected-removable-drives-can-be-recovered](includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-removable-data-drives](includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-removable-data-drives](includes/configure-use-of-passwords-for-removable-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-smart-cards-on-removable-data-drives](includes/configure-use-of-smart-cards-on-removable-data-drives.md)]
|
||||
[!INCLUDE [control-use-of-bitlocker-on-removable-drives](includes/control-use-of-bitlocker-on-removable-drives.md)]
|
||||
[!INCLUDE [deny-write-access-to-removable-drives-not-protected-by-bitlocker](includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-removable-data-drives](includes/enforce-drive-encryption-type-on-removable-data-drives.md)]
|
||||
[!INCLUDE [removable-drives-excluded-from-encryption](includes/removable-drives-excluded-from-encryption.md)]
|
||||
|
||||
---
|
||||
|
||||
## BitLocker and policy settings compliance
|
||||
|
||||
If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
|
||||
|
||||
If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended by using the [`manage-bde.exe`](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
|
||||
|
||||
In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [`manage-bde.exe`](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance.
|
||||
|
||||
## Configure and manage servers
|
||||
|
||||
Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](operations-guide.md), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ A trusted platform module (TPM) is a hardware component installed in many Window
|
||||
|
||||
BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN), or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
|
||||
|
||||
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
|
||||
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
|
||||
|
||||
An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
|
||||
|
||||
@ -43,33 +43,38 @@ To protect the BitLocker encryption key, BitLocker can use different types of *p
|
||||
|
||||
| Key protector | Description |
|
||||
| - | - |
|
||||
| Password | To unlock a drive, the user must supply a password. This is the weakest protector and it should be avoided, if possible.|
|
||||
| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
|
||||
| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
|
||||
| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
|
||||
| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
|
||||
| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
|
||||
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
|
||||
| Password | To unlock a drive, the user must supply a password. This key protector can be used on non-TPM devices .|
|
||||
| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions. The TPM protector can only be used with the OS drive. |
|
||||
| PIN | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.|
|
||||
| Startup key | An encryption key that can be stored on removable media, with a file name format of `<protector_id>.bek`. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
|
||||
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `<protector_id>.bek`|
|
||||
| Recovery password | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
|
||||
| PublicKey (DataRecoveryAgent) | A *Data Recovery Agent* (DRA) certificate that can be used to access any BitLocker encrypted drives that is configured with the public key protector.|
|
||||
| Network (TpmNetworkKey) | A key protector that allows automatic unlocking of operating system volumes while still maintaining multifactor authentication. This key protector can only be used with OS volumes.|
|
||||
| Active Directory user or group | A protector that is based on an Active Directory user or group security identified (SID). This protector can't be used for OS volumes and is not supported on Microsoft Entra joined devices.|
|
||||
|
||||
### BitLocker authentication methods
|
||||
|
||||
The following table describes the authentication methods that can be used to unlock an OS volume:
|
||||
|
||||
| Authentication method | Requires user interaction | Description |
|
||||
| - | - | - |
|
||||
| TPM only| No| TPM validates early boot components.|
|
||||
| TPM only| No| TPM validates early boot components|
|
||||
| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
|
||||
| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
|
||||
| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
|
||||
| TPM + startup key | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
|
||||
| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device.|
|
||||
| Password | Yes| The user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic. |
|
||||
|
||||
#### Support for devices without TPM
|
||||
|
||||
Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support devices without TPM, a user must use a USB startup key to boot the system. The startup key requires extra support processes similar to multifactor authentication.
|
||||
Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support devices without TPM, a user must use a USB startup key or a password to boot the system. The startup key requires extra support processes similar to multifactor authentication.
|
||||
|
||||
#### What areas of the organization need a baseline level of data protection?
|
||||
|
||||
The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for devices that are unattended or that must reboot unattended.
|
||||
|
||||
However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
|
||||
However, TPM-only authentication method doesn't offer a high level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
|
||||
|
||||
> [!TIP]
|
||||
> An advantage of TPM-only authentication is that a device can boot Windows without any user interaction. In case of lost or stolen device, there may be an advantage of this configuration: if the device is connected to the Internet, it can be remotely wiped with a device management solution like Microsoft Intune.
|
||||
@ -193,3 +198,11 @@ For more information about how to configure Network unlock feature, see [Network
|
||||
## Monitor and manage BitLocker
|
||||
|
||||
Organizations can use Microsoft Intune or Configuration Manager to monitor and manage BitLocker. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
|
||||
|
||||
## Next steps
|
||||
|
||||
> [!div class="nextstepaction"]
|
||||
> Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
|
||||
>
|
||||
>
|
||||
> [Configure BitLocker >](countermeasures.md)
|
||||
|
||||
@ -1,144 +0,0 @@
|
||||
---
|
||||
title: BitLocker policy settings
|
||||
description: Learn about the policy settings to configure BitLocker
|
||||
ms.collection:
|
||||
- tier1
|
||||
ms.topic: reference
|
||||
ms.date: 09/29/2023
|
||||
---
|
||||
|
||||
# BitLocker policy settings
|
||||
|
||||
This reference article describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
|
||||
|
||||
## Policy settings list
|
||||
|
||||
The list of settings is sorted alphabetically and organized in four categories:
|
||||
|
||||
- **Common settings**: settings applicable to all BitLocker-protected drives
|
||||
- **Operating system drive**: settings applicable to the drive where Windows is installed
|
||||
- **Fixed data drives**: settings applicable to any local drives, except the operating system drive
|
||||
- **Removable data drives**: settings applicable to any removable drives
|
||||
|
||||
Select one of the tabs to see the list of available settings:
|
||||
|
||||
#### [:::image type="icon" source="images/locked-drive.svg"::: **Common settings**](#tab/common)
|
||||
|
||||
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
|
||||
|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
|
||||
|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
|
||||
|[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
|
||||
|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
|
||||
|[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
|
||||
|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
|
||||
|[Require device encryption](#require-device-encryption)|✅|❌|
|
||||
|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
|
||||
|
||||
[!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
|
||||
[!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
|
||||
[!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
|
||||
[!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
|
||||
[!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
|
||||
[!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
|
||||
[!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
|
||||
[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
|
||||
[!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN](#allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-preboot-pin)|✅|✅|
|
||||
|[Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)|✅|✅|
|
||||
|[Allow network unlock at startup](#allow-network-unlock-at-startup)|❌|✅|
|
||||
|[Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)|❌|✅|
|
||||
|[Allow Warning For Other Disk Encryption](#allow-warning-for-other-disk-encryption)|✅|❌|
|
||||
|[Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)|✅|✅|
|
||||
|[Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)|✅|✅|
|
||||
|[Configure pre-boot recovery message and URL](#configure-preboot-recovery-message-and-url)|✅|✅|
|
||||
|[Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)|❌|✅|
|
||||
|[Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)|❌|✅|
|
||||
|[Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)|❌|✅|
|
||||
|[Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)|❌|✅|
|
||||
|[Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)|✅|✅|
|
||||
|[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅|
|
||||
|[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅|
|
||||
|[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅|
|
||||
|[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅|
|
||||
|[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅|
|
||||
|
||||
[!INCLUDE [allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin](includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md)]
|
||||
[!INCLUDE [allow-enhanced-pins-for-startup](includes/allow-enhanced-pins-for-startup.md)]
|
||||
[!INCLUDE [allow-network-unlock-at-startup](includes/allow-network-unlock-at-startup.md)]
|
||||
[!INCLUDE [allow-secure-boot-for-integrity-validation](includes/allow-secure-boot-for-integrity-validation.md)]
|
||||
[!INCLUDE [allow-warning-for-other-disk-encryption](includes/allow-warning-for-other-disk-encryption.md)]
|
||||
[!INCLUDE [choose-how-bitlocker-protected-operating-system-drives-can-be-recovered](includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-minimum-pin-length-for-startup](includes/configure-minimum-pin-length-for-startup.md)]
|
||||
[!INCLUDE [configure-pre-boot-recovery-message-and-url](includes/configure-pre-boot-recovery-message-and-url.md)]
|
||||
[!INCLUDE [configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md)]
|
||||
[!INCLUDE [configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-operating-system-drives](includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-operating-system-drives](includes/configure-use-of-passwords-for-operating-system-drives.md)]
|
||||
[!INCLUDE [disallow-standard-users-from-changing-the-pin-or-password](includes/disallow-standard-users-from-changing-the-pin-or-password.md)]
|
||||
[!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)]
|
||||
[!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)]
|
||||
[!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)]
|
||||
[!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Fixed data drives**](#tab/fixed)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)|✅|✅|
|
||||
|[Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)|❌|✅|
|
||||
|[Configure use of passwords for fixed data drives](#configure-use-of-passwords-for-fixed-data-drives)|❌|✅|
|
||||
|[Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)|❌|✅|
|
||||
|[Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)|✅|✅|
|
||||
|[Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)|✅|✅|
|
||||
|
||||
[!INCLUDE [choose-how-bitlocker-protected-fixed-drives-can-be-recovered](includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-fixed-data-drives](includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-fixed-data-drives](includes/configure-use-of-passwords-for-fixed-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-smart-cards-on-fixed-data-drives](includes/configure-use-of-smart-cards-on-fixed-data-drives.md)]
|
||||
[!INCLUDE [deny-write-access-to-fixed-drives-not-protected-by-bitlocker](includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-fixed-data-drives](includes/enforce-drive-encryption-type-on-fixed-data-drives.md)]
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Removable data drives**](#tab/removable)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|-|-|-|
|
||||
|[Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)|❌|✅|
|
||||
|[Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)|❌|✅|
|
||||
|[Configure use of passwords for removable data drives](#configure-use-of-passwords-for-removable-data-drives)|❌|✅|
|
||||
|[Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)|❌|✅|
|
||||
|[Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)|✅|✅|
|
||||
|[Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)|✅|✅|
|
||||
|[Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)|✅|✅|
|
||||
|[Removable Drives Excluded From Encryption](#removable-drives-excluded-from-encryption)|✅|❌|
|
||||
|
||||
[!INCLUDE [choose-how-bitlocker-protected-removable-drives-can-be-recovered](includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md)]
|
||||
[!INCLUDE [configure-use-of-hardware-based-encryption-for-removable-data-drives](includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-passwords-for-removable-data-drives](includes/configure-use-of-passwords-for-removable-data-drives.md)]
|
||||
[!INCLUDE [configure-use-of-smart-cards-on-removable-data-drives](includes/configure-use-of-smart-cards-on-removable-data-drives.md)]
|
||||
[!INCLUDE [control-use-of-bitlocker-on-removable-drives](includes/control-use-of-bitlocker-on-removable-drives.md)]
|
||||
[!INCLUDE [deny-write-access-to-removable-drives-not-protected-by-bitlocker](includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md)]
|
||||
[!INCLUDE [enforce-drive-encryption-type-on-removable-data-drives](includes/enforce-drive-encryption-type-on-removable-data-drives.md)]
|
||||
[!INCLUDE [removable-drives-excluded-from-encryption](includes/removable-drives-excluded-from-encryption.md)]
|
||||
|
||||
---
|
||||
|
||||
## BitLocker and policy settings compliance
|
||||
|
||||
If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
|
||||
|
||||
If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended by using the [`manage-bde.exe`](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
|
||||
|
||||
In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [`manage-bde.exe`](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance.
|
||||
@ -27,12 +27,8 @@ items:
|
||||
href: preboot-recovery-screen.md
|
||||
- name: BitLocker repair tool
|
||||
href: recovery-guide-repair-tool.md
|
||||
- name: Reference
|
||||
items:
|
||||
- name: BitLocker policy settings
|
||||
href: policy-settings.md
|
||||
- name: BCD settings
|
||||
href: bcd-settings-and-bitlocker.md
|
||||
- name: BCD settings
|
||||
href: bcd-settings-and-bitlocker.md
|
||||
- name: Frequently asked questions (FAQ)
|
||||
href: faq.yml
|
||||
- name: Troubleshooting
|
||||
|
||||
Reference in New Issue
Block a user