deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

moving to includes

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-09-24 08:03:07 -04:00
parent 059a8986cf
commit f5696fda5d
5 changed files with 62 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -496,37 +496,6 @@ The options for choosing property settings that control how users can configure
- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. - **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
### Choose drive encryption method and cipher strength
This policy setting is used to control the encryption method and cipher strength.
| Item | Info |
|:---|:---|
|**Policy description**|With this policy setting, it can be controlled the encryption method and strength for drives.|
|**Introduced**|Windows Server 2012 and Windows 8|
|**Drive type**|All drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
|**Conflicts**|None|
|**When enabled**|An encryption algorithm and key cipher strength for BitLocker can be chosen to use to encrypt drives.|
|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
#### Reference: Choose drive encryption method and cipher strength
The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
If this setting is enabled, it can be configured an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
- For fixed and operating system drives, it's recommended to use the XTS-AES algorithm.
- For removable drives, AES-CBC 128-bit or AES-CBC 256-bit should be used if the drive will be used in other devices that aren't running Windows 10, version 1511 or later.
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
> [!WARNING]
> This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
### Configure use of hardware-based encryption for fixed data drives ### Configure use of hardware-based encryption for fixed data drives
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
@ -772,27 +741,6 @@ TPM initialization might be needed during the BitLocker setup. Enable the **Turn
For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings). For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
### Choose default folder for recovery password
This policy setting is used to configure the default folder for recovery passwords.
| Item | Info |
|:---|:---|
|**Policy description**|With this policy setting, the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password can be specified.|
|**Introduced**|Windows Vista|
|**Drive type**|All drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
|**Conflicts**|None|
|**When enabled**|The path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder can be specified. A fully qualified path can be specified. The target computer's environment variables can also be included in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
|**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
#### Reference: Choose default folder for recovery password
This policy setting is applied when BitLocker is turned on.
> [!NOTE]
> This policy setting doesn't prevent the user from saving the recovery password in another folder.
### Choose how BitLocker-protected fixed drives can be recovered ### Choose how BitLocker-protected fixed drives can be recovered
This policy setting is used to configure recovery methods for fixed data drives. This policy setting is used to configure recovery methods for fixed data drives.

13
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md Normal file
View File

@ -0,0 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/24/2023
ms.topic: include
---
### Allow Standard User Encryption
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|
| **GPO** | Not available |

13
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md Normal file
View File

@ -0,0 +1,13 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/24/2023
ms.topic: include
---
### Allow suspension of BitLocker protection
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|
| **GPO** | Not available |

21
windows/security/operating-system-security/data-protection/bitlocker/includes/choose-default-folder-for-recovery-password.md Normal file
View File

@ -0,0 +1,21 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/24/2023
ms.topic: include
---
### Choose default folder for recovery password
Specify the default path that is displayed when the *BitLocker Drive Encryption setup wizard* prompts the user to enter the location of a folder in which to save the recovery password. You can specify either a fully qualified path or include the target computer's environment variables in the path:
- If the path is not valid, the BitLocker setup wizard will display the computer's top-level folder view
- If you disable or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level folder view when the user chooses the option to save the recovery password in a folder
> [!NOTE]
> This policy setting does not prevent the user from saving the recovery password in another folder.
| | Path |
|--|--|
| **CSP** | Not available |
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |

50
windows/security/operating-system-security/data-protection/bitlocker/settings.md → windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md
View File

@ -1,22 +1,22 @@
--- ---
title: BitLocker settings title: BitLocker policy settings
description: Learn about the available settings to configure BitLocker. description: Learn about the policy settings to configure BitLocker.
ms.collection: ms.collection:
- tier1 - tier1
ms.topic: reference ms.topic: reference
ms.date: 09/19/2023 ms.date: 09/19/2023
--- ---
# BitLocker settings list # BitLocker policy settings
This reference article describes the available settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO). This reference article describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
The list of settings is sorted alphabetically and organized in four tabs: The list of settings is sorted alphabetically and organized in four tabs:
- **Common settings** lists the settings that apply to all BitLocker-protected drives - **Common settings**: settings applicable to all BitLocker-protected drives
- **Operating system drive** lists the settings applicable to the drive where Windows is installed - **Operating system drive**: settings applicable to the drive where Windows is installed
- **Fixed data drives** lists the settings applicable to any local drives, except the operating system drive - **Fixed data drives**: settings applicable to any local drives, except the operating system drive
- **Removable data drives** lists the settings applicable to any removable drives - **Removable data drives**: settings applicable to any removable drives
> [!IMPORTANT] > [!IMPORTANT]
> Most of the BitLocker settings are applied when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change. > Most of the BitLocker settings are applied when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
@ -37,34 +37,11 @@ The following table lists the BitLocker policies applicable to all drive types,
|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅| |[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅| |[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
### Allow Standard User Encryption [!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
| | Path | [!INCLUDE [allow-suspension-of-bitlocker-protection](includes/allow-suspension-of-bitlocker-protection.md)]
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|
| **GPO** | Not available |
### Allow Suspension Of BitLocker Protection [!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|
| **GPO** | Not available |
### Choose default folder for recovery password
Specify the default path that is displayed when the *BitLocker Drive Encryption setup wizard* prompts the user to enter the location of a folder in which to save the recovery password. You can specify either a fully qualified path or include the target computer's environment variables in the path:
- If the path is not valid, the BitLocker setup wizard will display the computer's top-level folder view
- If you disable or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level folder view when the user chooses the option to save the recovery password in a folder
> [!NOTE]
> This policy setting does not prevent the user from saving the recovery password in another folder.
| | Path |
|--|--|
| **CSP** | Not available |
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
### Choose drive encryption method and cipher strength ### Choose drive encryption method and cipher strength
@ -76,6 +53,9 @@ Recommended settings:
If you disable or do not configure this policy setting, BitLocker uses the default encryption method of XTS-AES 128-bit. If you disable or do not configure this policy setting, BitLocker uses the default encryption method of XTS-AES 128-bit.
> [!WARNING]
> This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[EncryptionMethodByDriveType](/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype)| | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[EncryptionMethodByDriveType](/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype)|
@ -85,7 +65,7 @@ If you disable or do not configure this policy setting, BitLocker uses the defau
| | Path | | | Path |
|--|--| |--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowWarningForOtherDiskEncryption](/windows/client-management/mdm/bitlocker-csp#configurerecoverypasswordrotation)| | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[ConfigureRecoveryPasswordRotation](/windows/client-management/mdm/bitlocker-csp#configurerecoverypasswordrotation)|
| **GPO** | Not available | | **GPO** | Not available |
### Disable new DMA devices when this computer is locked ### Disable new DMA devices when this computer is locked