Tag: Computer Configuration
Allow enhanced PINs for startup
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters symbols numbers and spaces. This policy setting is applied when you turn on BitLocker. If you enable this policy setting all new BitLocker startup PINs set will be enhanced PINs. Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. If you disable or do not configure this policy setting enhanced PINs will not be used.
Configure use of passwords for operating system drives
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives you can provision a password enforce complexity requirements on the password and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> must be also enabled. Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting users can configure a password that meets the requirements you define. To enforce complexity requirements on the password select “Require complexity”. When set to “Require complexity” a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to “Allow complexity” a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to “Do not allow complexity” no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password enter the desired number of characters in the “Minimum password length” box. If you disable or do not configure this policy setting the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-compliance is enabled. The “System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing” policy setting in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options specifies whether FIPS-compliance is enabled.
Reset platform validation data after BitLocker recovery
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting platform validation data will be refreshed when Windows is started following BitLocker recovery. If you disable this policy setting platform validation data will not be refreshed when Windows is started following BitLocker recovery. If you do not configure this policy setting platform validation data will be refreshed when Windows is started following BitLocker recovery.
Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting standard users will be permitted to change BitLocker PINs and passwords.
Provide the unique identifiers for your organization
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. The allowed identification field is used in combination with the “Deny write access to removable drives not protected by BitLocker” policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using manage-bde. exe. If you enable this policy setting you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. If you disable or do not configure this policy setting the identification field is not required. Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
Validate smart card certificate usage rule compliance
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default object identifier is 1. 3. 6. 1. 4. 1. 311. 67. 1. 1Note: BitLocker does not require that a certificate have an EKU attribute but if one is configured for the certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker. If you enable this policy setting the object identifier specified in the “Object identifier” box must match the object identifier in the smart card certificate. If you disable or do not configure this policy setting a default object identifier is used.
Choose default folder for recovery password
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when you turn on BitLocker. If you enable this policy setting you can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify either a fully qualified path or include the target computer’s environment variables in the path. If the path is not valid the BitLocker setup wizard will display the computer’s top-level folder view. If you disable or do not configure this policy setting the BitLocker setup wizard will display the computer’s top-level folder view when the user chooses the option to save the recovery password in a folder. Note: This policy setting does not prevent the user from saving the recovery password in another folder.
Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2)
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows Server 2008 Windows Vista Windows Server 2008 R2 or Windows 7. If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. If you disable or do not configure this policy setting BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
Choose drive encryption method and cipher strength
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows 8 and later. If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. If you disable or do not configure this policy setting BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the “Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7)” policy setting if it is set. If neither policy is set BitLocker will use the default encryption method of AES 128-bit or the encryption method specified by the setup script.
Prevent memory overwrite on restart
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If you enable this policy setting memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase the risk of exposing BitLocker secrets. If you disable or do not configure this policy setting BitLocker secrets are removed from memory when the computer restarts.