Category: At least Windows Server 2012 or Windows 8

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode OID: 2. 16. 840. 1. 101. 3. 4. 1. 2- AES 256 in CBC mode OID: 2. 16. 840. 1. 101. 3. 4. 1. 42

This policy setting allows users to turn on authentication options that require user input from the pre-boot environment even if the platform lacks pre-boot input capability. The Windows touch keyboard (such as that used by tablets) isn’t available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. If you enable this policy setting devices must have an alternative means of pre-boot input (such as an attached USB keyboard). If this policy is not enabled the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled you cannot turn on BitLocker on a device that uses the Windows touch keyboard. Note that if you do not enable this policy setting options in the “Require additional authentication at startup” policy might not be available on such devices. These options include:- Configure TPM startup PIN: Required/Allowed- Configure TPM startup key and PIN: Required/Allowed- Configure use of passwords for operating system drives.

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode OID: 2. 16. 840. 1. 101. 3. 4. 1. 2- AES 256 in CBC mode OID: 2. 16. 840. 1. 101. 3. 4. 1. 42

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors and protects the information exchanged with the server to unlock the computer. You can use the group policy setting “Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> BitLocker Drive Encryption Network Unlock Certificate” on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.

This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the “Configure TPM platform validation profile for native UEFI firmware configurations” group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you enable this policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives you can provision a password enforce complexity requirements on the password and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> must be also enabled. Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting users can configure a password that meets the requirements you define. To enforce complexity requirements on the password select “Require complexity”. When set to “Require complexity” a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to “Allow complexity” a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to “Do not allow complexity” no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password enter the desired number of characters in the “Minimum password length” box. If you disable or do not configure this policy setting the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-compliance is enabled. The “System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing” policy setting in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options specifies whether FIPS-compliance is enabled.

This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting standard users will be permitted to change BitLocker PINs and passwords.