19 KiB
title, description, ms.topic, ms.date
| title | description | ms.topic | ms.date |
|---|---|---|---|
| Configure BitLocker | Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO). | how-to | 10/03/2023 |
Configure BitLocker
To configure BitLocker, you can use one of the following options:
- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune
- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent
Note
Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the reference article BitLocker policy settings.
[!INCLUDE bitlocker]
Configure devices using CSP
The configuration of devices using CSP is a good option for devices that managed by an MDM solution, like Microsoft Intune. These are Microsoft Entra joined, Microsoft Entra registered or Microsoft Entra hybrid joined devices.
The BitLocker CSP is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in compliance polices, combining them with Conditional Access. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker.
Note
For hardware that is compliant with Modern Standby and HSTI, device encryption is automatically turned on whenever a user Microsoft Entra joins a device. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery keys for self-service, if necessary.
To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
- Manage BitLocker policy for Windows devices with Intune
- Monitor device encryption with Intune
- Use compliance policies to set rules for devices you manage with Intune
Configure devices using GPO
To learn more about options to configure BitLocker via Microsoft Configuration Manager, see Deploy BitLocker management.
Tip
Organizations that image their device using Configuration Manager can use an existing task sequence to pre-provision BitLocker encryption while in Windows Preinstallation Environment (WinPE), and can then enable protection. These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, an organization could also decide to use Configuration Manager to pre-set any desired BitLocker policy settings.
BitLocker policy settings
This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
Important
Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
Policy settings list
The list of settings is sorted alphabetically and organized in four categories:
- Common settings: settings applicable to all BitLocker-protected drives
- Operating system drive: settings applicable to the drive where Windows is installed
- Fixed data drives: settings applicable to any local drives, except the operating system drive
- Removable data drives: settings applicable to any removable drives
Select one of the tabs to see the list of available settings:
:::image type="icon" source="images/locked-drive.svg"::: Common settings
The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
[!INCLUDE allow-standard-user-encryption] [!INCLUDE choose-default-folder-for-recovery-password] [!INCLUDE choose-drive-encryption-method-and-cipher-strength] [!INCLUDE configure-recovery-password-rotation] [!INCLUDE disable-new-dma-devices-when-this-computer-is-locked] [!INCLUDE prevent-memory-overwrite-on-restart] [!INCLUDE provide-the-unique-identifiers-for-your-organization] [!INCLUDE require-device-encryption] [!INCLUDE validate-smart-card-certificate-usage-rule-compliance]
:::image type="icon" source="images/os-drive.svg"::: Operating system drive
[!INCLUDE allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin] [!INCLUDE allow-enhanced-pins-for-startup] [!INCLUDE allow-network-unlock-at-startup] [!INCLUDE allow-secure-boot-for-integrity-validation] [!INCLUDE allow-warning-for-other-disk-encryption] [!INCLUDE choose-how-bitlocker-protected-operating-system-drives-can-be-recovered] [!INCLUDE configure-minimum-pin-length-for-startup] [!INCLUDE configure-pre-boot-recovery-message-and-url] [!INCLUDE configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations] [!INCLUDE configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations] [!INCLUDE configure-use-of-hardware-based-encryption-for-operating-system-drives] [!INCLUDE configure-use-of-passwords-for-operating-system-drives] [!INCLUDE disallow-standard-users-from-changing-the-pin-or-password] [!INCLUDE enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates] [!INCLUDE enforce-drive-encryption-type-on-operating-system-drives] [!INCLUDE require-additional-authentication-at-startup] [!INCLUDE reset-platform-validation-data-after-bitlocker-recovery] [!INCLUDE use-enhanced-boot-configuration-data-validation-profile]
:::image type="icon" source="images/unlocked-drive.svg"::: Fixed data drives
[!INCLUDE choose-how-bitlocker-protected-fixed-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-fixed-data-drives] [!INCLUDE configure-use-of-passwords-for-fixed-data-drives] [!INCLUDE configure-use-of-smart-cards-on-fixed-data-drives] [!INCLUDE deny-write-access-to-fixed-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-fixed-data-drives]
:::image type="icon" source="images/unlocked-drive.svg"::: Removable data drives
[!INCLUDE choose-how-bitlocker-protected-removable-drives-can-be-recovered] [!INCLUDE configure-use-of-hardware-based-encryption-for-removable-data-drives] [!INCLUDE configure-use-of-passwords-for-removable-data-drives] [!INCLUDE configure-use-of-smart-cards-on-removable-data-drives] [!INCLUDE control-use-of-bitlocker-on-removable-drives] [!INCLUDE deny-write-access-to-removable-drives-not-protected-by-bitlocker] [!INCLUDE enforce-drive-encryption-type-on-removable-data-drives] [!INCLUDE removable-drives-excluded-from-encryption]
BitLocker and policy settings compliance
If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended by using the manage-bde.exe command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The manage-bde.exe command-line can also be used in this scenario to help bring the device into compliance.
Configure and manage servers
Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use PowerShell to enable BitLocker on a server, ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in BitLocker: How to deploy on Windows Server to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a Server Core installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in Using Features on Demand with Updated Systems and Patched Images and How to update local source media to add roles and features.
If a server is being installed manually, such as a stand-alone server, then choosing Server with Desktop Experience is the easiest path because it avoids performing the steps to add a GUI to Server Core.
Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see BitLocker: How to enable Network Unlock.
Next steps
[!div class="nextstepaction"] Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.