Category: At least Windows Server 2008 R2 or Windows 7

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access. If you disable or do not configure this policy setting all fixed data drives on the computer will be mounted with read and write access.

This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008 Windows Vista Windows XP with Service Pack 3 (SP3) or Windows XP with Service Pack 2 (SP2) operating systems. If this policy setting is enabled or not configured fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives. When this policy setting is enabled select the “Do not install BitLocker To Go Reader on FAT formatted fixed drives” check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo. exe) is present on a drive that does not have an identification field specified or if the drive has the same identification field as specified in the “Provide unique identifiers for your organization” policy setting the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation for the fixed drive to be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 BitLocker To Go Reader must be installed on the computer. If this check box is not selected BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 that do not have BitLocker To Go Reader installed. If this policy setting is disabled fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2. Bitlockertogo. exe will not be installed. Note: This policy setting does not apply to drives that are formatted with the NTFS file system.

This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authentication by selecting the “Require use of smart cards on fixed data drives” check box. Note: These settings are enforced when turning on BitLocker not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you disable this policy setting users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives. If you do not configure this policy setting smart cards can be used to authenticate user access to a BitLocker-protected drive.

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting users can configure a startup PIN of any length between 4 and 20 digits.

This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The “Allow data recovery agent” check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In “Configure user storage of BitLocker recovery information” select whether users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select “Omit recovery options from the BitLocker setup wizard” to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting. In “Save BitLocker recovery information to Active Directory Domain Services” choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select “Backup recovery password and key package” both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select “Backup recovery password only” only the recovery password is stored in AD DS. Select the “Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives” check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: If the “Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives” check box is selected a recovery password is automatically generated. If you enable this policy setting you can control the methods available to users to recover data from BitLocker-protected fixed data drives. If this policy setting is not configured or disabled the default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The “Allow certificate-based data recovery agent” check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In “Configure user storage of BitLocker recovery information” select whether users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select “Omit recovery options from the BitLocker setup wizard” to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting. In “Save BitLocker recovery information to Active Directory Domain Services” choose which BitLocker recovery information to store in AD DS for operating system drives. If you select “Backup recovery password and key package” both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select “Backup recovery password only” only the recovery password is stored in AD DS. Select the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: If the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box is selected a recovery password is automatically generated. If you enable this policy setting you can control the methods available to users to recover data from BitLocker-protected operating system drives. If this policy setting is disabled or not configured the default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS.

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM select the “Allow BitLocker without a compatible TPM” check box. In this mode either a password or a USB drive is required for start-up. When using a startup key the key information used to encrypt the drive is stored on the USB drive creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can use only the TPM for authentication or it can also require insertion of a USB flash drive containing a startup key the entry of a 4-digit to 20-digit personal identification number (PIN) or both. If you enable this policy setting users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters symbols numbers and spaces. This policy setting is applied when you turn on BitLocker. If you enable this policy setting all new BitLocker startup PINs set will be enhanced PINs. Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. If you disable or do not configure this policy setting enhanced PINs will not be used.

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. The allowed identification field is used in combination with the “Deny write access to removable drives not protected by BitLocker” policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using manage-bde. exe. If you enable this policy setting you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. If you disable or do not configure this policy setting the identification field is not required. Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default object identifier is 1. 3. 6. 1. 4. 1. 311. 67. 1. 1Note: BitLocker does not require that a certificate have an EKU attribute but if one is configured for the certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker. If you enable this policy setting the object identifier specified in the “Object identifier” box must match the object identifier in the smart card certificate. If you disable or do not configure this policy setting a default object identifier is used.