deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

added new setting

Browse Source
This commit is contained in:
Justinha 2017-04-12 16:30:25 -07:00
parent d061ff4613
commit c52326b443
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
windows/keep-secure/bitlocker-group-policy-settings.md
View File

@ -37,6 +37,7 @@ The following policy settings can be used to determine how a BitLocker-protected
- [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
- [Configure minimum PIN length for startup](#bkmk-unlockpol3)
- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
- [Configure use of passwords for operating system drives](#bkmk-ospw)
- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
@ -355,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
### Disable new DMA devices when this computer is locked
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
| | |
|--------------------|----------------------|
| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
| Introduced | Windows 10, version 1703 |
| Drive type | Operating system drives |
| Policy path | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
| Conflicts | None |
| When enabled | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
**Reference**
This policy setting is only enforced when BitLocker or device encyption is enabled.
### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.