deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 03:13:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

policies

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-09-25 09:25:42 -04:00
parent dfb536f63b
commit d07bbb3b3e
6 changed files with 78 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
View File

@ -7,7 +7,18 @@ ms.topic: include
### Allow network unlock at startup
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
This policy setting controls whether a BitLocker-protected device that is connected to a trusted wired Local Area Network (LAN) can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
If you enable this policy, devices configured with a *BitLocker Network Unlock certificate* will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer.
The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock.
If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors.
> [!NOTE]
> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
| | Path |
|--|--|

6
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
View File

@ -7,6 +7,12 @@ ms.topic: include
### Allow Standard User Encryption
With this policy you can enforce the *RequireDeviceEncryption* policy for scenarios where policy is pushed while current logged-on user is non-admin/standard user.
*AllowStandardUserEncryption* policy is tied to [Allow warning for other disk encryption](#allow-warning-for-other-disk-encryption) policy being disabled (value `0`).
If *AllowWarningForOtherDiskEncryption* isn't set, or is set to `1`, *RequireDeviceEncryption* policy doesn't try to encrypt drive(s) if a standard user is logged-on.
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|

4
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md
View File

@ -7,6 +7,10 @@ ms.topic: include
### Allow suspension of BitLocker protection
When enabled, this policy allows suspending BitLocker protection. When disabled, it prevents suspending BitLocker protection.
The default value is *enabled*.
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|

14
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md
View File

@ -7,6 +7,20 @@ ms.topic: include
### Configure recovery password rotation
With this policy you can configure a numeric recovery password rotation upon use for OS and fixed drives on Microsoft Entra joined and Microsoft Entra hybrid joined devices.
Possible values are:
- `0`: numeric recovery password rotation is turned off
- `1`: numeric recovery password rotation upon use is *on* for Microsoft Entra joined devices joined devices. This is also the default value
- `2`: numeric recovery password rotation upon use is *on* for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices
> [!NOTE]
> The Policy is effective only when Micropsoft Entra ID or Active Directory back up for recovery password is configured to *required*
>
> - For OS drive: enable "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
> - For Fixed drives: enable "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[ConfigureRecoveryPasswordRotation](/windows/client-management/mdm/bitlocker-csp#configurerecoverypasswordrotation)|

43
windows/security/operating-system-security/data-protection/bitlocker/includes/require-additional-authentication-at-startup.md
View File

@ -7,7 +7,48 @@ ms.topic: include
### Require additional authentication at startup
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
This policy configures whether BitLocker requires additional authentication each time the device starts.
If you enable this policy, users can configure advanced startup options in the BitLocker setup wizard.\
If you disable or don't configure this policy setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a device without a TPM, select the option **Allow BitLocker without a compatible TPM**. In this mode, either a password or a USB drive is required for startup.\
When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
- TPM only
- a USB flash drive containing a startup key
- a PIN (6-digit to 20-digit)
- PIN + USB flash drive
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
There are four options for TPM-enabled devices:
- Configure TPM startup
- Allow TPM
- Require TPM
- Do not allow TPM
- Configure TPM startup PIN
- Allow startup PIN with TPM
- Require startup PIN with TPM
- Do not allow startup PIN with TPM
- Configure TPM startup key
- Allow startup key with TPM
- Require startup key with TPM
- Do not allow startup key with TPM
- Configure TPM startup key and PIN
- Allow TPM startup key with PIN
- Require startup key and PIN with TPM
- Do not allow TPM startup key with PIN
| | Path |
|--|--|