12 KiB
title, description, ms.collection, ms.topic, ms.date
| title | description | ms.collection | ms.topic | ms.date | |
|---|---|---|---|---|---|
| BitLocker policy settings | Learn about the policy settings to configure BitLocker. |
|
reference | 09/19/2023 |
BitLocker policy settings
This reference article describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
The list of settings is sorted alphabetically and organized in four tabs:
- Common settings: settings applicable to all BitLocker-protected drives
- Operating system drive: settings applicable to the drive where Windows is installed
- Fixed data drives: settings applicable to any local drives, except the operating system drive
- Removable data drives: settings applicable to any removable drives
Important
Most of the BitLocker settings are applied when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
:::image type="icon" source="images/locked-drive.svg"::: Common settings
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
[!INCLUDE allow-standard-user-encryption] [!INCLUDE allow-suspension-of-bitlocker-protection] [!INCLUDE choose-default-folder-for-recovery-password] [!INCLUDE choose-drive-encryption-method-and-cipher-strength] [!INCLUDE configure-recovery-password-rotation] [!INCLUDE disable-new-dma-devices-when-this-computer-is-locked] [!INCLUDE prevent-memory-overwrite-on-restart] [!INCLUDE provide-the-unique-identifiers-for-your-organization] [!INCLUDE validate-smart-card-certificate-usage-rule-compliance]
:::image type="icon" source="images/os-drive.svg"::: Operating system drive
[!INCLUDE allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin] [!INCLUDE allow-enhanced-pins-for-startup] [!INCLUDE allow-network-unlock-at-startup] [!INCLUDE allow-secure-boot-for-integrity-validation] [!INCLUDE allow-warning-for-other-disk-encryption] [!INCLUDE choose-how-bitlocker-protected-operating-system-drives-can-be-recovered] [!INCLUDE configure-minimum-pin-length-for-startup] [!INCLUDE configure-pre-boot-recovery-message-and-url] [!INCLUDE configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations] [!INCLUDE configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations] [!INCLUDE configure-use-of-hardware-based-encryption-for-operating-system-drives] [!INCLUDE configure-use-of-passwords-for-operating-system-drives] [!INCLUDE disallow-standard-users-from-changing-the-pin-or-password] [!INCLUDE enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates] [!INCLUDE enforce-drive-encryption-type-on-operating-system-drives] [!INCLUDE require-additional-authentication-at-startup] [!INCLUDE require-device-encryption] [!INCLUDE reset-platform-validation-data-after-bitlocker-recovery] [!INCLUDE use-enhanced-boot-configuration-data-validation-profile]
:::image type="icon" source="images/unlocked-drive.svg"::: Fixed data drives
[!INCLUDE choose-how-bitlocker-protected-fixed-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-fixed-data-drives] [!INCLUDE configure-use-of-passwords-for-fixed-data-drives] [!INCLUDE configure-use-of-smart-cards-on-fixed-data-drives] [!INCLUDE deny-write-access-to-fixed-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-fixed-data-drives]
:::image type="icon" source="images/unlocked-drive.svg"::: Removable data drives
[!INCLUDE choose-how-bitlocker-protected-removable-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-removable-data-drives] [!INCLUDE configure-use-of-passwords-for-removable-data-drives] [!INCLUDE configure-use-of-smart-cards-on-removable-data-drives] [!INCLUDE control-use-of-bitlocker-on-removable-drives] [!INCLUDE deny-write-access-to-removable-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-removable-data-drives] [!INCLUDE removable-drives-excluded-from-encryption]