deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

policies

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-09-25 09:25:42 -04:00
parent dfb536f63b
commit d07bbb3b3e
6 changed files with 78 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md
View File

@ -23,78 +23,6 @@ In other scenarios, to bring the drive into compliance with a change in Group Po
The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
This setting enables an exception to the PIN-required policy on secure hardware.
### Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
| Item | Info |
|:---|:---|
|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
|**Introduced**|Windows Server 2012 and Windows 8|
|**Drive type**|Operating system drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
|**Conflicts**|None|
|**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
|**When disabled or not configured**|Clients can't create and use Network Key Protectors.|
#### Reference: Allow network unlock at startup
To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
> [!NOTE]
> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
### Require additional authentication at startup
This policy setting is used to control which unlock options are available for operating system drives.
| Item | Info |
|:---|:---|
|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.|
|**Introduced**|Windows Server 2008 R2 and Windows 7|
|**Drive type**|Operating system drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
|**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
|**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.|
|**When disabled or not configured**|Users can configure only basic options on computers with a TPM. <br><br>Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
#### Reference: Require additional authentication at startup
If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
- Only the TPM
- Insertion of a USB flash drive containing the startup key
- The entry of a 4-digit to 20-digit personal identification number (PIN)
- A combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
- Configure TPM startup
- Allow TPM
- Require TPM
- Do not allow TPM
- Configure TPM startup PIN
- Allow startup PIN with TPM
- Require startup PIN with TPM
- Do not allow startup PIN with TPM
- Configure TPM startup key
- Allow startup key with TPM
- Require startup key with TPM
- Do not allow startup key with TPM
- Configure TPM startup key and PIN
- Allow TPM startup key with PIN
- Require startup key and PIN with TPM
- Do not allow TPM startup key with PIN
### Allow enhanced PINs for startup
This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.

13
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
View File

@ -7,7 +7,18 @@ ms.topic: include
### Allow network unlock at startup
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
This policy setting controls whether a BitLocker-protected device that is connected to a trusted wired Local Area Network (LAN) can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
If you enable this policy, devices configured with a *BitLocker Network Unlock certificate* will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer.
The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock.
If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors.
> [!NOTE]
> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
| | Path |
|--|--|

6
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
View File

@ -7,6 +7,12 @@ ms.topic: include
### Allow Standard User Encryption
With this policy you can enforce the *RequireDeviceEncryption* policy for scenarios where policy is pushed while current logged-on user is non-admin/standard user.
*AllowStandardUserEncryption* policy is tied to [Allow warning for other disk encryption](#allow-warning-for-other-disk-encryption) policy being disabled (value `0`).
If *AllowWarningForOtherDiskEncryption* isn't set, or is set to `1`, *RequireDeviceEncryption* policy doesn't try to encrypt drive(s) if a standard user is logged-on.
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|

4
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md
View File

@ -7,6 +7,10 @@ ms.topic: include
### Allow suspension of BitLocker protection
When enabled, this policy allows suspending BitLocker protection. When disabled, it prevents suspending BitLocker protection.
The default value is *enabled*.
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|

14
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md
View File

@ -7,6 +7,20 @@ ms.topic: include
### Configure recovery password rotation
With this policy you can configure a numeric recovery password rotation upon use for OS and fixed drives on Microsoft Entra joined and Microsoft Entra hybrid joined devices.
Possible values are:
- `0`: numeric recovery password rotation is turned off
- `1`: numeric recovery password rotation upon use is *on* for Microsoft Entra joined devices joined devices. This is also the default value
- `2`: numeric recovery password rotation upon use is *on* for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices
> [!NOTE]
> The Policy is effective only when Micropsoft Entra ID or Active Directory back up for recovery password is configured to *required*
>
> - For OS drive: enable "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
> - For Fixed drives: enable "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[ConfigureRecoveryPasswordRotation](/windows/client-management/mdm/bitlocker-csp#configurerecoverypasswordrotation)|

43
windows/security/operating-system-security/data-protection/bitlocker/includes/require-additional-authentication-at-startup.md
View File

@ -7,7 +7,48 @@ ms.topic: include
### Require additional authentication at startup
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
This policy configures whether BitLocker requires additional authentication each time the device starts.
If you enable this policy, users can configure advanced startup options in the BitLocker setup wizard.\
If you disable or don't configure this policy setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a device without a TPM, select the option **Allow BitLocker without a compatible TPM**. In this mode, either a password or a USB drive is required for startup.\
When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
- TPM only
- a USB flash drive containing a startup key
- a PIN (6-digit to 20-digit)
- PIN + USB flash drive
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
There are four options for TPM-enabled devices:
- Configure TPM startup
- Allow TPM
- Require TPM
- Do not allow TPM
- Configure TPM startup PIN
- Allow startup PIN with TPM
- Require startup PIN with TPM
- Do not allow startup PIN with TPM
- Configure TPM startup key
- Allow startup key with TPM
- Require startup key with TPM
- Do not allow startup key with TPM
- Configure TPM startup key and PIN
- Allow TPM startup key with PIN
- Require startup key and PIN with TPM
- Do not allow TPM startup key with PIN
| | Path |
|--|--|