From cf1019b14823a4a57485923fe6abdd4d4e23bba6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 14 Aug 2017 22:05:59 +0000 Subject: [PATCH] Merged PR 2714: BitLocker CSP updated with ADMX-backed policies information --- .../client-management/mdm/bitlocker-csp.md | 303 ++++++++++++++++-- ...ew-in-windows-mdm-enrollment-management.md | 7 +- .../policy-configuration-service-provider.md | 26 +- .../mdm/policy-csp-bitlocker.md | 30 +- 4 files changed, 330 insertions(+), 36 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82a438d517..979c1f9105 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/06/2017 +ms.date: 08/14/2017 --- # BitLocker CSP @@ -91,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is integer. Supported operations are Add, Get, Replace, and Delete.

-**EncryptionMethodByDriveType** -

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).

+**EncryptionMethodByDriveType** +

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

@@ -140,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesRequireStartupAuthentication** -

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).

+

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.

@@ -204,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesMinimumPINLength** -

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

@@ -239,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryMessage**

This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

@@ -290,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryOptions**

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.

@@ -357,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**FixedDrivesRecoveryOptions** -

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.

@@ -427,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree **FixedDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

@@ -459,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree **RemovableDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

@@ -500,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +**AllowWarningForOtherDiskEncryption** + +

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

+ +

The following list shows the supported values:

+ +- 0 – Disables the warning prompt. +- 1 (default) – Warning prompt allowed. + +

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

+ +``` syntax + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + + 0 + + +``` ### SyncML example @@ -664,29 +929,3 @@ The following example is provided to show proper format and should not be taken ``` - -**AllowWarningForOtherDiskEncryption** - -

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

- -

The following list shows the supported values:

- -- 0 – Disables the warning prompt. -- 1 (default) – Warning prompt allowed. - -

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

- -``` syntax - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - - -``` \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7d908c4910..b84fdaa3fa 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 08/14/2017 --- # What's new in MDM enrollment and management @@ -1364,6 +1364,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Provider/_ProviderID_/EnrollmentInfo
    • + +[BitLocker CSP](bitlocker-csp.md) +Added information to the ADMX-backed policies. + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

    @@ -1394,6 +1398,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations

    • Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

    +

    Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 23d468a09d..e8a815b1ca 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/04/2017 +ms.date: 08/14/2017 --- # Policy CSP @@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
    Bitlocker/EncryptionMethod
    +
    + BitLocker/EncryptionMethodByDriveType in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/RemovableDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/SystemDrivesMinimumPINLength in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryMessage in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication in BitLocker CSP +
    ### Bluetooth policies diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 70e825b78a..ea9430a79c 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -58,6 +58,33 @@ ms.date: 08/09/2017 - 6 - XTS-AES 128-bit (Desktop only) - 7 - XTS-AES 256-bit (Desktop only) +

    You can find the following policies in BitLocker CSP: +

    +
    + BitLocker/EncryptionMethodByDriveType +
    +
    + BitLocker/FixedDrivesRecoveryOptions +
    +
    + BitLocker/FixedDrivesRequireEncryption +
    +
    + BitLocker/RemovableDrivesRequireEncryption +
    +
    + BitLocker/SystemDrivesMinimumPINLength +
    +
    + BitLocker/SystemDrivesRecoveryMessage +
    +
    + BitLocker/SystemDrivesRecoveryOptions +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication +
    +
    @@ -68,5 +95,4 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - - + \ No newline at end of file