mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 11:53:37 +00:00
test
This commit is contained in:
Paolo Matarazzo
@ -29,10 +29,10 @@ The list of settings is sorted alphabetically and organized in four tabs:
|
||||
|
||||
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|Policy name| **CSP** | GPO |
|
||||
|-|-|-|
|
||||
|[[Allow Standard User Encryption](#allow-standard-user-encryption)]|✅|❌|
|
||||
|[[Allow Suspension Of BitLocker Protection](#allow-suspension-of-bitlocker-protection)]|✅|❌|
|
||||
|[Allow Standard User Encryption](#allow-standard-user-encryption)|✅|❌|
|
||||
|[Allow Suspension Of BitLocker Protection](#allow-suspension-of-bitlocker-protection)|✅|❌|
|
||||
|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
|
||||
|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
|
||||
|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
|
||||
@ -42,17 +42,17 @@ The following table lists the BitLocker policies applicable to all drive types,
|
||||
|
||||
### Allow Standard User Encryption
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | ./Device/Vendor/MSFT/BitLocker/[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|
|
||||
| Group policy | Not available |
|
||||
| **CSP** | `./Device/Vendor/MSFT/BitLocker/[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)`|
|
||||
| **GPO** | Not available |
|
||||
|
||||
### Allow Suspension Of BitLocker Protection
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | ./Device/Vendor/MSFT/BitLocker/[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection) |
|
||||
| Group policy | Not available |
|
||||
| **CSP** | `./Device/Vendor/MSFT/BitLocker/[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)`|
|
||||
| **GPO** | Not available |
|
||||
|
||||
### Choose default folder for recovery password
|
||||
|
||||
@ -64,10 +64,10 @@ Specify the default path that is displayed when the *BitLocker Drive Encryption
|
||||
> [!NOTE]
|
||||
> This policy setting does not prevent the user from saving the recovery password in another folder.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
### Choose drive encryption method and cipher strength
|
||||
|
||||
@ -82,46 +82,46 @@ Recommended settings:
|
||||
|
||||
If you disable or do not configure this policy setting, BitLocker uses the default encryption method of XTS-AES 128-bit.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
### Disable new DMA devices when this computer is locked
|
||||
This policy setting allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host Thunderbolt PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug Thunderbolt PCI ports with no children devices, until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated. This policy setting is only enforced when BitLocker or device encryption is enabled. Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices before exposing the new devices to Windows.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
### Prevent memory overwrite on restart
|
||||
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If you enable this policy setting, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase the risk of exposing BitLocker secrets. If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
### Provide the unique identifiers for your organization
|
||||
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using manage-bde.exe. If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. If you disable or do not configure this policy setting, the identification field is not required. Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
### Validate smart card certificate usage rule compliance
|
||||
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default object identifier is 1.3.6.1.4.1.311.67.1.1 Note: BitLocker does not require that a certificate have an EKU attribute, but if one is configured for the certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker. If you enable this policy setting, the object identifier specified in the "Object identifier" box must match the object identifier in the smart card certificate. If you disable or do not configure this policy setting, a default object identifier is used.
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
|
||||
|
||||
#### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|Policy name| **CSP** | GPO |
|
||||
|-|-|-|
|
||||
|Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN|||
|
||||
|[Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)|||
|
||||
@ -143,126 +143,126 @@ This policy setting allows you to associate an object identifier from a smart ca
|
||||
|
||||
### Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Allow enhanced PINs for startup
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Allow network unlock at startup
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Allow Secure Boot for integrity validation
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Choose how BitLocker-protected operating system drives can be recovered
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure minimum PIN length for startup
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure pre-boot recovery message and URL
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure TPM platform validation profile for BIOS-based firmware configurations
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure TPM platform validation profile for native UEFI firmware configurations
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure use of hardware-based encryption for operating system drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Configure use of passwords for operating system drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Disallow standard users from changing the PIN or password
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Enable use of BitLocker authentication requiring preboot keyboard input on slates
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Enforce drive encryption type on operating system drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Require additional authentication at startup
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Reset platform validation data after BitLocker recovery
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
### Use enhanced Boot Configuration Data validation profile
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating Sytem Drives** |
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Fixed data drives**](#tab/fixed)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|Policy name| **CSP** | GPO |
|
||||
|-|-|-|
|
||||
|Choose how BitLocker-protected fixed drives can be recovered|||
|
||||
|Configure use of hardware-based encryption for fixed data drives|||
|
||||
@ -274,49 +274,49 @@ This policy setting allows you to associate an object identifier from a smart ca
|
||||
|
||||
### Choose how BitLocker-protected fixed drives can be recovered
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
### Configure use of hardware-based encryption for fixed data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
### Configure use of passwords for fixed data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
### Configure use of smart cards on fixed data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
### Deny write access to fixed drives not protected by BitLocker
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
### Enforce drive encryption type on fixed data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
|
||||
|
||||
#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Removable data drives**](#tab/removable)
|
||||
|
||||
|Policy name| CSP | GPO |
|
||||
|Policy name| **CSP** | GPO |
|
||||
|-|-|-|
|
||||
|Choose how BitLocker-protected removable drives can be recovered|||
|
||||
|Configure use of hardware-based encryption for removable data drives|||
|
||||
@ -328,52 +328,52 @@ This policy setting allows you to associate an object identifier from a smart ca
|
||||
|
||||
### Choose how BitLocker-protected removable drives can be recovered
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Configure use of hardware-based encryption for removable data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Configure use of passwords for removable data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Configure use of smart cards on removable data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Control use of BitLocker on removable drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Deny write access to removable drives not protected by BitLocker
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
### Enforce drive encryption type on removable data drives
|
||||
|
||||
| Configuration tool | Path |
|
||||
| | Path |
|
||||
|--|--|
|
||||
| CSP | Not available |
|
||||
| Group policy | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
| **CSP** | Not available |
|
||||
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user