Configuring BitLocker policies
BitLocker is an encryption technology used to ensure that an entire volume is encrypted. Encrypting
File System (EFS) enables encryption on specified files and folders,
which allows granular control of the technology but makes management
more difficult because the encrypted files or folders can be anywhere
on the disk. With BitLocker, the entire volume is encrypted and
requires a Trusted Platform Module (TPM) chip in the computer or an
alternate method of authentication, such as an encryption key on a USB
flash disk, to operate.
Using policies to configure BitLocker allows the settings to be
centrally managed if the computer or device is managed by Active
Directory. If the computer or device is not managed by Active
Directory, the same policy settings can be applied by using the Local
Group Policy Editor. Configuring the settings for a local policy uses
the same concepts as configuring Group Policy in Active Directory; the
difference is that the settings apply only to the local computer or to
user accounts on the local computer.
If the computer joins an Active Directory domain and a conflicting
setting exists within the domain, the local computer’s setting will be
overwritten by the settings from Active Directory.
Policy settings for BitLocker include the following:
-
Fixed Data Drives
-
Configure Use Of Smart Cards On Fixed Data Drives
-
Deny Write Access To Fixed Drives Not Protected By BitLocker
-
Configure Use Of Hardware-Based Encryption For Fixed Data Drives
-
Enforce Drive Encryption Type On Fixed Data Drives
-
Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows
-
Configure Use Of Passwords For Fixed Data Drives
-
Choose How BitLocker-Protected Fixed Drives Can Be Recovered
-
Operating System Drives
-
Allow Network Unlock At Startup
-
Allow Secure Boot For Integrity Validation
-
Require Additional Authentication At Startup
-
Require Additional Authentication At Startup (Windows Server 2008 And Windows Vista)
-
Disallow Standard Users From Changing The PIN Or Password
-
Enable Use Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates
-
Allow Enhanced PINs For Startup
-
Configure Minimum PIN Length For Startup
-
Configure Use Of Hardware-Based Encryption For Operating System Drives
-
Enforce Drive Encryption Type On Operating System Drives
-
Configure Use Of Passwords For Operating System Drives
-
Choose How BitLocker-Protected Operating System Drives Can Be Recovered
-
Configure TPM Platform Validation Profile For BIOS-Based Firmware Configuration
-
Configure TPM Platform Validation Profile (Windows Vista, Windows Server 2008, Windows 7, And Windows Server 2008 R2)
-
Configure TPM Platform Validation Profile For Native Unified Extensible Firmware Interface (UEFI) Firmware Configurations
-
Reset Platform Validation Data After BitLocker Recovery
-
Use Enhanced Boot Configuration Data Validation Profile
-
Store BitLocker Recovery Information In Active Directory Domain Services (AD DS) (Windows Server 2008 And Windows Vista)
-
Choose Default Folder For Recovery Password
-
Choose How Often Users Can Recover BitLocker-Protected Drives (Windows Server 2008 And Windows Vista)
-
Choose Drive Encryption Method And Cipher Strength
-
Choose Drive Encryption Method And Cipher Strength (Windows Vista, Windows Server 2008, Windows Server 2008 R2, And Windows 7)
-
Provide The Unique Identifiers For Your Organization
-
Prevent Memory Overwrite On Restart
-
Validate Smart Card Certificate Usage Rule Compliance
Figure 1 displays the Local Group Policy Editor with the BitLocker policy objects displayed.
To configure the local policy settings, complete the following steps:
-
Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).
-
Expand the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path.
-
Select the policy object you want to work with.
-
Select Enabled.
-
Review the explanation provided with the object and configure available options as needed.
-
Tap or click OK to save the changes.
