diff --git a/windows/keep-secure/bcd-settings-and-bitlocker.md b/windows/keep-secure/bcd-settings-and-bitlocker.md index 66ca07b626..ccd9afd831 100644 --- a/windows/keep-secure/bcd-settings-and-bitlocker.md +++ b/windows/keep-secure/bcd-settings-and-bitlocker.md @@ -131,7 +131,6 @@ This following is a full list of BCD settings with friendly names which are igno | 0x15000052 | all| graphicsresolution| | 0x15000065 | all| displaymessage| | 0x15000066| all| displaymessageoverride| -| 0x15000081 | all| logcontrol| | 0x16000009 | all| recoveryenabled| | 0x1600000b | all| badmemoryaccess| | 0x1600000f | all| traditionalkseg| diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 26cadf522b..c0112dcf47 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,6 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. +- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -85,6 +86,55 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN + +This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Policy description

With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support InstantGo or HSTI, while requiring PIN on older devices.

Introduced

Windows 10, version 1703

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware. + +

When enabled

Users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

When disabled or not configured

The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.

+  +**Reference** + +The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support InstantGo. +But visually impaired users have no audible way to know when to enter a PIN. +This setting enables an exception to the PIN-required policy on secure hardware. + ### Allow network unlock at startup This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.