Tag: Computer Configuration
Configure minimum PIN length for startup
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting users can configure a startup PIN of any length between 4 and 20 digits.
Use enhanced Boot Configuration Data validation profile
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting you will be able to add additional settings remove the default settings or both. If you disable this policy setting the computer will revert to a BCD profile similar to the default BCD profile used by Windows 7. If you do not configure this policy setting the computer will verify the default Windows BCD settings. Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data (BCD) integrity validation as defined by the “Allow Secure Boot for integrity validation” group policy the “Use enhanced Boot Configuration Data validation profile” group policy is ignored. The setting that controls boot debugging (0x16000010) will always be validated and will have no effect if it is included in the provided fields.
Choose how BitLocker-protected operating system drives can be recovered
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The “Allow certificate-based data recovery agent” check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In “Configure user storage of BitLocker recovery information” select whether users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select “Omit recovery options from the BitLocker setup wizard” to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting. In “Save BitLocker recovery information to Active Directory Domain Services” choose which BitLocker recovery information to store in AD DS for operating system drives. If you select “Backup recovery password and key package” both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select “Backup recovery password only” only the recovery password is stored in AD DS. Select the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: If the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box is selected a recovery password is automatically generated. If you enable this policy setting you can control the methods available to users to recover data from BitLocker-protected operating system drives. If this policy setting is disabled or not configured the default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS.
Enforce drive encryption type on operating system drives
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista. On a computer with a compatible Trusted Platform Module (TPM) two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN). A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM BitLocker-encrypted data is protected solely by the key material on this USB flash drive. If you enable this policy setting the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM. If you disable or do not configure this policy setting the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard no additional startup key or startup PIN can be configured.
Require additional authentication at startup
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM select the “Allow BitLocker without a compatible TPM” check box. In this mode either a password or a USB drive is required for start-up. When using a startup key the key information used to encrypt the drive is stored on the USB drive creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can use only the TPM for authentication or it can also require insertion of a USB flash drive containing a startup key the entry of a 4-digit to 20-digit personal identification number (PIN) or both. If you enable this policy setting users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
Allow network unlock at startup
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors and protects the information exchanged with the server to unlock the computer. You can use the group policy setting “Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> BitLocker Drive Encryption Network Unlock Certificate” on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
Configure TPM platform validation profile (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2)
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. If you enable this policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23 The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS. Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
Configure TPM platform validation profile for BIOS-based firmware configurations
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the “Configure TPM platform validation profile for native UEFI firmware configurations” group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you enable this policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
Configure TPM platform validation profile for native UEFI firmware configurations
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the “Configure TPM platform validation profile for BIOS-based firmware configurations” group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM enabled. If you enable this policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0) extended or pluggable executable code (PCR 2) boot manager (PCR 4) and the BitLocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically setting this policy with PCR 7 omitted will override the “Allow Secure Boot for integrity validation” group policy preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when firmware is updated. If you set this policy to include PCR 0 suspend BitLocker prior to applying firmware updates.