|
|
|
|
@ -22,45 +22,6 @@ The Dictionary Attack Prevention Parameters provide a way to balance security ne
|
|
|
|
|
|
|
|
|
|
Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
|
|
|
|
|
|
|
|
|
|
### Configure use of smart cards on fixed data drives
|
|
|
|
|
|
|
|
|
|
This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
|
|
|
|
|
|**Drive type**|Fixed data drives|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
|
|
|
|
|
|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting may need to be modified to match the object identifier of the smart card certificates.|
|
|
|
|
|
|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on fixed data drives** check box.|
|
|
|
|
|
|**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
|
|
|
|
|
|**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Configure use of smart cards on fixed data drives
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
|
|
|
|
|
|
|
|
|
|
### Configure use of smart cards on removable data drives
|
|
|
|
|
|
|
|
|
|
This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
|
|
|
|
|
|**Drive type**|Removable data drives|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
|
|
|
|
|
|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration** > **Administrative Templates** > **BitLocker Drive Encryption** > **Validate smart card certificate usage rule compliance** policy setting may also need to be modified to match the object identifier of the smart card certificates.|
|
|
|
|
|
|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on removable data drives** check box.|
|
|
|
|
|
|**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
|
|
|
|
|
|**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Configure use of smart cards on removable data drives
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Enable use of BitLocker authentication requiring preboot keyboard input on slates
|
|
|
|
|
|
|
|
|
|
@ -146,148 +107,6 @@ Conflict considerations include:
|
|
|
|
|
|
|
|
|
|
3. The **Provide the unique identifiers for your organization** policy setting must be enabled if Write access needs to be denied to drives that were configured in another organization.
|
|
|
|
|
|
|
|
|
|
### Control use of BitLocker on removable drives
|
|
|
|
|
|
|
|
|
|
This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|With this policy setting, it can be controlled the use of BitLocker on removable data drives.|
|
|
|
|
|
|**Drive type**|Removable data drives|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|Property settings can be selected that control how users can configure BitLocker.|
|
|
|
|
|
|**When disabled**|Users can't use BitLocker on removable data drives.|
|
|
|
|
|
|**When not configured**|Users can use BitLocker on removable data drives.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Control use of BitLocker on removable drives
|
|
|
|
|
|
|
|
|
|
This policy setting is applied when BitLocker is turned on.
|
|
|
|
|
|
|
|
|
|
For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md).
|
|
|
|
|
|
|
|
|
|
The options for choosing property settings that control how users can configure BitLocker are:
|
|
|
|
|
|
|
|
|
|
- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive.
|
|
|
|
|
|
|
|
|
|
- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
|
|
|
|
|
|
|
|
|
|
### Configure use of hardware-based encryption for fixed data drives
|
|
|
|
|
|
|
|
|
|
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
|
|
|
|
|
|**Drive type**|Fixed data drives|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
|
|
|
|
|
|**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
|
|
|
|
|
|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Configure use of hardware-based encryption for fixed data drives
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
|
|
|
|
|
|
|
|
|
|
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
|
|
|
|
|
|
|
|
|
|
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
|
|
|
|
|
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
|
|
|
|
|
|
|
|
|
|
### Configure use of hardware-based encryption for removable data drives
|
|
|
|
|
|
|
|
|
|
This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on removable data drives and specifies which encryption algorithms it can use with hardware-based encryption.|
|
|
|
|
|
|**Drive type**|Removable data drive|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
|
|
|
|
|
|**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
|
|
|
|
|
|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Configure use of hardware-based encryption for removable data drives
|
|
|
|
|
|
|
|
|
|
If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
|
|
|
|
|
|
|
|
|
|
The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
|
|
|
|
|
|
|
|
|
|
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
|
|
|
|
|
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
|
|
|
|
|
|
|
|
|
|
### Enforce drive encryption type on fixed data drives
|
|
|
|
|
|
|
|
|
|
This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
|
|
|
|
|
|**Drive type**|Fixed data drive|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|
|
|
|
|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Enforce drive encryption type on fixed data drives
|
|
|
|
|
|
|
|
|
|
This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
|
|
|
|
|
|
|
|
|
|
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
|
|
|
|
|
|
|
|
|
|
### Enforce drive encryption type on operating system drives
|
|
|
|
|
|
|
|
|
|
This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
|
|
|
|
|
|**Drive type**|Operating system drive|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|
|
|
|
|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Enforce drive encryption type on operating system drives
|
|
|
|
|
|
|
|
|
|
This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
|
|
|
|
|
|
|
|
|
|
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
|
|
|
|
|
|
|
|
|
|
### Enforce drive encryption type on removable data drives
|
|
|
|
|
|
|
|
|
|
This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
|
|
|
|
|
|
|
|
|
|
| Item | Info |
|
|
|
|
|
|:---|:---|
|
|
|
|
|
|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
|
|
|
|
|
|**Drive type**|Removable data drive|
|
|
|
|
|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
|
|
|
|
|
|**Conflicts**|None|
|
|
|
|
|
|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
|
|
|
|
|
|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
|
|
|
|
|
|
|
|
|
|
#### Reference: Enforce drive encryption type on removable data drives
|
|
|
|
|
|
|
|
|
|
This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
|
|
|
|
|
|
|
|
|
|
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
|
|
|
|
|
|
|
|
|
|
### Configure the pre-boot recovery message and URL
|
|
|
|
|
|
|
|
|
|
This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
|
|
|
|
|
|
Paolo Matarazzo