deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Replaced HTML entities in body text and code blocks

Browse Source 
These caused two broken instances of [!NOTE] and invalid XML in the code blocks.
This commit is contained in:
Gary Moore 2020-04-29 16:29:54 -07:00 committed by GitHub
parent e673cc5c10
commit e7e18f8c8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 84 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
windows/client-management/mdm/bitlocker-csp.md
View File

@ -159,7 +159,7 @@ If you want to disable this policy, use the following SyncML:
<!--Policy-->
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<!--Description-->
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
<!--/Description-->
<!--SupportedValues-->
<table>
@ -212,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
- 3 = AES-CBC 128
- 4 = AES-CBC 256
@ -234,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -244,7 +244,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;.
This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -286,7 +286,7 @@ This setting allows you to configure whether BitLocker requires additional authe
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
If you want to use BitLocker on a computer without a TPM, set the &quot;ConfigureNonTPMStartupKeyUsage_Name&quot; data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
@ -314,13 +314,13 @@ Data id:
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
The possible values for &#39;yy&#39; are:
The possible values for 'yy' are:
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
@ -339,7 +339,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -348,7 +348,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;.
This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -414,7 +414,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -424,7 +424,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot;
This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL"
(PrebootRecoveryInfo_Name).
<!--/Description-->
<!--SupportedSKUs-->
@ -465,11 +465,11 @@ ADMX Info:
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the value to &quot;1&quot; (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value &quot;1&quot; (Use default recovery message and URL).</o>
If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
If you set the value to &quot;2&quot; (Use custom recovery message), the message you set in the &quot;RecoveryMessage_Input&quot; data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the value to &quot;3&quot; (Use custom recovery URL), the URL you type in the &quot;RecoveryUrl_Input&quot; data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Sample value for this node to enable this policy is:
@ -477,7 +477,7 @@ Sample value for this node to enable this policy is:
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
- 0 = Empty
- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
@ -501,7 +501,7 @@ Disabling the policy will let the system choose the default behaviors. If you w
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -514,7 +514,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name).
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -553,18 +553,18 @@ ADMX Info:
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
The &quot;OSAllowDRA_Name&quot; (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In &quot;OSRecoveryPasswordUsageDropDown_Name&quot; and &quot;OSRecoveryKeyUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set &quot;OSHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set &quot;OSActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set &quot;2&quot; (Backup recovery password only), only the recovery password is stored in AD DS.
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
Set the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!Note]
> If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
> [!NOTE]
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@ -576,16 +576,16 @@ Sample value for this node to enable this policy is:
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
The possible values for &#39;yy&#39; are:
The possible values for 'yy' are:
- 2 = Allowed
- 1 = Required
- 0 = Disallowed
The possible values for &#39;zz&#39; are:
The possible values for 'zz' are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
<!--/SupportedValues-->
@ -601,7 +601,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -611,7 +611,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; ().
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -650,19 +650,20 @@ ADMX Info:
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
The &quot;FDVAllowDRA_Name&quot; (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In &quot;FDVRecoveryPasswordUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set &quot;FDVHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set &quot;FDVActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the &quot;FDVActiveDirectoryBackupDropDown_Name&quot; (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select &quot;2&quot; (Backup recovery password only) only the recovery password is stored in AD DS.
Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
&gt; [!Note]<br/>&gt; If the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
> [!NOTE]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
@ -674,13 +675,13 @@ Sample value for this node to enable this policy is:
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
The possible values for &#39;yy&#39; are:
The possible values for 'yy' are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
@ -688,7 +689,7 @@ The possible values for &#39;yy&#39; are:
</ul>
The possible values for &#39;zz&#39; are:
The possible values for 'zz' are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
@ -706,7 +707,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -716,7 +717,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name).
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -775,7 +776,7 @@ If you disable or do not configure this setting, all fixed data drives on the co
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -785,7 +786,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name).
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -826,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the &quot;RDVCrossOrg&quot; (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer&#39;s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the &quot;Provide the unique identifiers for your organization&quot; group policy setting.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
&gt; [!Note]<br/>&gt; This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the &quot;Removable Disks: Deny write access&quot; group policy setting is enabled this policy setting will be ignored.
> [!NOTE]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
Sample value for this node to enable this policy is:
@ -838,7 +840,7 @@ Sample value for this node to enable this policy is:
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<!--SupportedValues-->
The possible values for &#39;xx&#39; are:
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
@ -856,7 +858,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
<Data><disabled/></Data>
</Item>
</Replace>
```
@ -1229,10 +1231,10 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt;
<enabled/>
<data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
<data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/>
<data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/>
</Data>
</Item>
</Replace>
@ -1244,12 +1246,12 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
<enabled/>
<data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/>
<data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/>
<data id="ConfigurePINUsageDropDown_Name" value="2"/>
<data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/>
<data id="ConfigureTPMUsageDropDown_Name" value="2"/>
</Data>
</Item>
</Replace>
@ -1261,8 +1263,8 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt;
<enabled/>
<data id="MinPINLength" value="6"/>
</Data>
</Item>
</Replace>
@ -1274,10 +1276,10 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt;
&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt;
<enabled/>
<data id="RecoveryMessage_Input" value="blablablabla"/>
<data id="PrebootRecoveryInfoDropDown_Name" value="2"/>
<data id="RecoveryUrl_Input" value="blablabla"/>
</Data>
</Item>
</Replace>
@ -1289,14 +1291,14 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
<enabled/>
<data id="OSAllowDRA_Name" value="true"/>
<data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/>
<data id="OSRecoveryKeyUsageDropDown_Name" value="2"/>
<data id="OSHideRecoveryPage_Name" value="true"/>
<data id="OSActiveDirectoryBackup_Name" value="true"/>
<data id="OSActiveDirectoryBackupDropDown_Name" value="2"/>
<data id="OSRequireActiveDirectoryBackup_Name" value="true"/>
</Data>
</Item>
</Replace>
@ -1308,14 +1310,14 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
<enabled/>
<data id="FDVAllowDRA_Name" value="true"/>
<data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/>
<data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/>
<data id="FDVHideRecoveryPage_Name" value="true"/>
<data id="FDVActiveDirectoryBackup_Name" value="true"/>
<data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/>
<data id="FDVRequireActiveDirectoryBackup_Name" value="true"/>
</Data>
</Item>
</Replace>
@ -1327,7 +1329,7 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
<enabled/>
</Data>
</Item>
</Replace>
@ -1339,8 +1341,8 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt;
<enabled/>
<data id="RDVCrossOrg" value="true"/>
</Data>
</Item>
</Replace>