14 KiB
title, description, ms.collection, ms.topic, ms.date
| title | description | ms.collection | ms.topic | ms.date | |
|---|---|---|---|---|---|
| BitLocker policy settings | Learn about the policy settings to configure BitLocker |
|
reference | 09/29/2023 |
BitLocker policy settings
This reference article describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
Important
Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
Policy settings list
The list of settings is sorted alphabetically and organized in four categories:
- Common settings: settings applicable to all BitLocker-protected drives
- Operating system drive: settings applicable to the drive where Windows is installed
- Fixed data drives: settings applicable to any local drives, except the operating system drive
- Removable data drives: settings applicable to any removable drives
Select one of the tabs to see the list of available settings:
:::image type="icon" source="images/locked-drive.svg"::: Common settings
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
[!INCLUDE allow-standard-user-encryption] [!INCLUDE allow-suspension-of-bitlocker-protection] [!INCLUDE choose-default-folder-for-recovery-password] [!INCLUDE choose-drive-encryption-method-and-cipher-strength] [!INCLUDE configure-recovery-password-rotation] [!INCLUDE disable-new-dma-devices-when-this-computer-is-locked] [!INCLUDE prevent-memory-overwrite-on-restart] [!INCLUDE provide-the-unique-identifiers-for-your-organization] [!INCLUDE validate-smart-card-certificate-usage-rule-compliance]
:::image type="icon" source="images/os-drive.svg"::: Operating system drive
[!INCLUDE allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin] [!INCLUDE allow-enhanced-pins-for-startup] [!INCLUDE allow-network-unlock-at-startup] [!INCLUDE allow-secure-boot-for-integrity-validation] [!INCLUDE allow-warning-for-other-disk-encryption] [!INCLUDE choose-how-bitlocker-protected-operating-system-drives-can-be-recovered] [!INCLUDE configure-minimum-pin-length-for-startup] [!INCLUDE configure-pre-boot-recovery-message-and-url] [!INCLUDE configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations] [!INCLUDE configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations] [!INCLUDE configure-use-of-hardware-based-encryption-for-operating-system-drives] [!INCLUDE configure-use-of-passwords-for-operating-system-drives] [!INCLUDE disallow-standard-users-from-changing-the-pin-or-password] [!INCLUDE enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates] [!INCLUDE enforce-drive-encryption-type-on-operating-system-drives] [!INCLUDE require-additional-authentication-at-startup] [!INCLUDE require-device-encryption] [!INCLUDE reset-platform-validation-data-after-bitlocker-recovery] [!INCLUDE use-enhanced-boot-configuration-data-validation-profile]
:::image type="icon" source="images/unlocked-drive.svg"::: Fixed data drives
[!INCLUDE choose-how-bitlocker-protected-fixed-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-fixed-data-drives] [!INCLUDE configure-use-of-passwords-for-fixed-data-drives] [!INCLUDE configure-use-of-smart-cards-on-fixed-data-drives] [!INCLUDE deny-write-access-to-fixed-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-fixed-data-drives]
:::image type="icon" source="images/unlocked-drive.svg"::: Removable data drives
[!INCLUDE choose-how-bitlocker-protected-removable-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-removable-data-drives] [!INCLUDE configure-use-of-passwords-for-removable-data-drives] [!INCLUDE configure-use-of-smart-cards-on-removable-data-drives] [!INCLUDE control-use-of-bitlocker-on-removable-drives] [!INCLUDE deny-write-access-to-removable-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-removable-data-drives] [!INCLUDE removable-drives-excluded-from-encryption]
BitLocker and policies compliance
If a device isn't compliant with the configured policies, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in policy settings.
If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password but then policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the manage-bde command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The manage-bde command-line can also be used in this scenario to help bring the device into compliance.