18 KiB
title, description, ms.topic, ms.date
| title | description | ms.topic | ms.date |
|---|---|---|---|
| Configure BitLocker | Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO). | how-to | 06/18/2024 |
Configure BitLocker
To configure BitLocker, you can use one of the following options:
- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The BitLocker CSP is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in compliance policies, combining them with Conditional Access. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see Deploy BitLocker management
Note
Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the section BitLocker policy settings.
[!INCLUDE bitlocker]
BitLocker policy settings
This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
Important
Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
Policy settings list
The list of settings is sorted alphabetically and organized in four categories:
- Common settings: settings applicable to all BitLocker-protected drives
- Operating system drive: settings applicable to the drive where Windows is installed
- Fixed data drives: settings applicable to any local drives, except the operating system drive
- Removable data drives: settings applicable to any removable drives
Select one of the tabs to see the list of available settings:
:::image type="icon" source="images/locked-drive.svg"::: Common settings
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
[!INCLUDE allow-standard-user-encryption] [!INCLUDE choose-default-folder-for-recovery-password] [!INCLUDE choose-drive-encryption-method-and-cipher-strength] [!INCLUDE configure-recovery-password-rotation] [!INCLUDE disable-new-dma-devices-when-this-computer-is-locked] [!INCLUDE prevent-memory-overwrite-on-restart] [!INCLUDE provide-the-unique-identifiers-for-your-organization] [!INCLUDE require-device-encryption] [!INCLUDE validate-smart-card-certificate-usage-rule-compliance]
:::image type="icon" source="images/os-drive.svg"::: Operating system drive
[!INCLUDE allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin] [!INCLUDE allow-enhanced-pins-for-startup] [!INCLUDE allow-network-unlock-at-startup] [!INCLUDE allow-secure-boot-for-integrity-validation] [!INCLUDE allow-warning-for-other-disk-encryption] [!INCLUDE choose-how-bitlocker-protected-operating-system-drives-can-be-recovered] [!INCLUDE configure-minimum-pin-length-for-startup] [!INCLUDE configure-pre-boot-recovery-message-and-url] [!INCLUDE configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations] [!INCLUDE configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations] [!INCLUDE configure-use-of-hardware-based-encryption-for-operating-system-drives] [!INCLUDE configure-use-of-passwords-for-operating-system-drives] [!INCLUDE disallow-standard-users-from-changing-the-pin-or-password] [!INCLUDE enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates] [!INCLUDE enforce-drive-encryption-type-on-operating-system-drives] [!INCLUDE require-additional-authentication-at-startup] [!INCLUDE reset-platform-validation-data-after-bitlocker-recovery] [!INCLUDE use-enhanced-boot-configuration-data-validation-profile]
:::image type="icon" source="images/unlocked-drive.svg"::: Fixed data drives
[!INCLUDE choose-how-bitlocker-protected-fixed-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-fixed-data-drives] [!INCLUDE configure-use-of-passwords-for-fixed-data-drives] [!INCLUDE configure-use-of-smart-cards-on-fixed-data-drives] [!INCLUDE deny-write-access-to-fixed-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-fixed-data-drives]
:::image type="icon" source="images/unlocked-drive.svg"::: Removable data drives
[!INCLUDE choose-how-bitlocker-protected-removable-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-removable-data-drives] [!INCLUDE configure-use-of-passwords-for-removable-data-drives] [!INCLUDE configure-use-of-smart-cards-on-removable-data-drives] [!INCLUDE control-use-of-bitlocker-on-removable-drives] [!INCLUDE deny-write-access-to-removable-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-removable-data-drives] [!INCLUDE removable-drives-excluded-from-encryption]
BitLocker and policy settings compliance
If a device isn't compliant with the configured policy settings, BitLocker might not be turned on, or BitLocker configuration might be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
If multiple changes are necessary to bring the drive into compliance, BitLocker protection might need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker might need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.
To learn more how to manage BitLocker, review the BitLocker operations guide.
Configure and manage servers
Servers are often deployed, configured, and managed using PowerShell. The recommendation is to use group policy settings to configure BitLocker on servers, and to manage BitLocker using PowerShell.
BitLocker is an optional component in Windows Server. Follow the directions in Install BitLocker on Windows Server to add the BitLocker optional component.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a Server Core installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in Using Features on Demand with Updated Systems and Patched Images and How to update local source media to add roles and features. If a server is installed manually, then choosing Server with Desktop Experience is the easiest path because it avoids performing the steps to add a GUI to Server Core.
Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see Network Unlock.
Next steps
[!div class="nextstepaction"] Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.