diff --git a/windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md index c959f82f70..5919039de6 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md @@ -196,32 +196,6 @@ The encryption algorithm that is used by hardware-based encryption is set when t - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 -### Configure use of hardware-based encryption for operating system drives - -This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. - -| Item | Info | -|:---|:---| -|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on operating system drives and specifies which encryption algorithms it can use with hardware-based encryption.| -|**Drive type**|Operating system drives| -|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| -|**Conflicts**|None| -|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.| -|**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.| -|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.| - -#### Reference: Configure use of hardware-based encryption for operating system drives - -If hardware-based encryption isn't available, BitLocker software-based encryption is used instead. - -> [!NOTE] -> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. - -The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: - -- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 -- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 - ### Configure use of hardware-based encryption for removable data drives This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md index 5d6f045ace..1bc81f6fb3 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md @@ -7,7 +7,20 @@ ms.topic: include ### Configure use of hardware-based encryption for fixed data drives -This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability. Note: The "Choose drive encryption method and cipher strength" policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The "Restrict encryption algorithms and cipher suites allowed for hardware-based encryption" option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. + +If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. + +If you disable this policy setting, BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption will be used by default when the drive is encrypted. + +If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability. + +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. +> +> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: +> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2` +> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42` | | Path | |--|--| diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md index e6ff8195ac..3953f2ea74 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md @@ -7,7 +7,20 @@ ms.topic: include ### Configure use of hardware-based encryption for operating system drives -This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability. Note: The "Choose drive encryption method and cipher strength" policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The "Restrict encryption algorithms and cipher suites allowed for hardware-based encryption" option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. + +If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. + +If you disable this policy setting, BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption will be used by default when the drive is encrypted. + +If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability. + +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. +> +> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: +> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2` +> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42` | | Path | |--|--| diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md index c3b2c7e211..f5bdae7129 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md @@ -7,7 +7,20 @@ ms.topic: include ### Configure use of hardware-based encryption for removable data drives -This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability. Note: The "Choose drive encryption method and cipher strength" policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The "Restrict encryption algorithms and cipher suites allowed for hardware-based encryption" option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 +This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. + +If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. + +If you disable this policy setting, BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption will be used by default when the drive is encrypted. + +If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability. + +> [!NOTE] +> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. +> +> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: +> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2` +> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42` | | Path | |--|--| diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md index f607749354..d30a6a419a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md @@ -10,7 +10,7 @@ ms.topic: include This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length. > [!IMPORTANT] -> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. +> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md index 93fe756942..8f47128758 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md @@ -10,7 +10,7 @@ ms.topic: include This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements, and configure a minimum length. > [!IMPORTANT] -> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. +> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md index 2bb6d9760a..630784ad92 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md @@ -10,7 +10,7 @@ ms.topic: include This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length. > [!IMPORTANT] -> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. +> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**: