(0) exportieren Drucken
Alle erweitern

BitLocker Group Policy settings

Veröffentlicht: September 2012

Letzte Aktualisierung: Oktober 2012

Betrifft: Windows 8, Windows Server 2012

To control the user experience in the BitLocker Control Panel item and to modify other configuration options, you can use Group Policy or local computer policy settings. How you choose to configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.

A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details on those settings, see Windows 8 TPM Group Policy Settings.

BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization and then applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the Manage-bde command-line tool, the password unlock method deleted, and the smart card method added. After this is completed, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.

The following sections provide a comprehensive list of policy settings organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.

The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.

The following policy settings determine the encryption method and encryption type used with BitLocker.

The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

The following policies are used to support customized deployment scenarios in your organization.

This policy controls a portion of the behavior of the Network Unlock feature of BitLocker. This policy is required to enable BitLocker Network Unlock on a network as it allows BitLocker clients to create the necessary Network Key Protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy to allow systems connected to a trusted network to properly utilize the Network Unlock feature.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting controls whether a BitLocker protected computer that is connected to a trusted wired local area network and joined to a domain can create and use Network Key protectors on TPM-enabled computer to automatically unlock the operating system drive when the computer is started.

If you enable this policy setting, client configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.

To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisions with a Network Unlock certificate. The Network Unlock certificate is used to create a Network Key Protectors and protect the information exchange with the server to unlock the computer. You can use the Group Policy setting Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computer that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock

If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors

For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.

None

This policy setting is used to control what unlock options are available for operating system drives.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

If you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a USB drive is required for startup and the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, the computer can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

noteHinweis
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.

If one authentication method is required, the other methods cannot be allowed.

Use of BitLocker with a TPM startup key or TPM startup key and PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

This policy setting permits the use of enhanced PINs when using an unlock method that includes a PIN.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure whether enhanced startup PINs are used with BitLocker.

Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. Existing drives that were protected by using a standard startup PIN are not affected.

ImportantWichtig
Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during BitLocker setup to verify that enhanced PIN characters can be used.

If you disable or do not configure this policy setting, enhanced PINs will not be used.

None

This policy setting is used to set a minimum PIN length when using an unlock method that includes a PIN.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.

None

This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password used to protect the operating system drive.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password used to protect the operating system drive. To change the PIN or password the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.

If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.

None

This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the "Password must meet complexity requirements" password policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose "Require password complexity" as it requires domain connectivity and requires the inputted BitLocker password meets the same password complexity requirements as domain logon passwords.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting Password must meet complexity requirements located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.

noteHinweis
These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select Require complexity.

When set to Require complexity a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to Allow complexity a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to Do not allow complexity, no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the Minimum password length box.

If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.

Passwords cannot be used if FIPS-compliance is enabled. The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

This policy setting is used to control what unlock options are available for computers running either Windows Server 2008 or Windows Vista.

Operating system drives (Windows Server 2008 and Windows Vista)

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard on computers running Windows Vista or Windows Server 2008 will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.

On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN.

A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.

If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

If you choose to require an additional authentication method, others authentication methods cannot be allowed.

This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.

Fixed data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

If you enable this policy setting, smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

noteHinweis
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives.

If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.

Fixed data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements must be also enabled.

noteHinweis
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

When set to Require complexity, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to Allow complexity, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of the actual password complexity and the drive will be encrypted by using that password as a protector. When set to Do not allow complexity, no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the Minimum password length box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

ImportantWichtig
Passwords cannot be used if FIPS compliance is enabled. The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.

To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

This policy setting is configured on a per-computer basis. This means that it will apply to both local user accounts and domain user accounts. Because the password filter used to validate password complexity is located on the domain controllers of the domain, local user accounts will not be able to access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you are logged on with a local user account and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.

Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.

This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

If you enable this policy setting, smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

noteHinweis
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

If you do not configure this policy setting, smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

This policy setting is used to require, allow, or deny the use of passwords with removable data drives.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting Password must meet complexity requirements located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

noteHinweis
These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements that you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

When set to Require complexity, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to Allow complexity, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector. When set to Do not allow complexity, no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the Minimum password length box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

noteHinweis
Passwords cannot be used if FIPS compliance is enabled. The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.

To use password complexity, the Password must meet complexity requirements policy setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

This policy setting is used to determine what certificate to use with BitLocker.

Fixed and removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker.

The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.

The default object identifier is 1.3.6.1.4.1.311.67.1.1.

noteHinweis
BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.

If you enable this policy setting, the object identifier specified in the Object identifier setting must match the object identifier in the smart card certificate.

If you disable or do not configure this policy setting, the default object identifier is used.

None

This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability.

Operating system drive

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability.

The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment where BitLocker requires additional information such as a PIN or password.

It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of pre-boot input, such as attaching a USB keyboard.

None

This policy setting is used to require encryption of fixed drives prior to granting write access.

Fixed data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

When this policy setting is enabled, users will receive "Access denied" error messages when they try to save to unencrypted fixed data drives.

If BdeHdCfg is run on a computer when this policy setting is enabled, you may encounter the following issues:

  • If you attempted to shrink the drive and create the system drive, the drive size will be successfully reduced and a raw partition created. However, the RAW partition will not be formatted. The following error message is displayed: "The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker."

  • If you attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker."

  • If you attempted to merge an existing drive into the system drive, the tool will fail to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."

If this policy setting is being enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows and those computers were configured with a single partition, you should create the required BitLocker system partition before applying the policy setting to the computers.

This policy setting is used to require encryption of removable drives prior to granting write access and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with write access.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If the Deny write access to devices configured in another organization option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for a valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting.

If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

noteHinweis
This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the Removable Disks: Deny write access policy setting is enabled, this policy setting will be ignored.

Use of BitLocker with TPM + startup key or TPM + PIN + startup key must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

You must enable the Provide the unique identifiers for your organization policy setting if you want to deny write access to drives configured in another organization.

This policy setting is used to prevent standard user account from being able to turn BitLocker on or off on removable data drives.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.

When this policy setting is enabled, you can select property settings that control how users can configure BitLocker. Choose Allow users to apply BitLocker protection on removable data drives to permit the user to run the BitLocker setup wizard on a removable data drive. Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker Drive Encryption from the drive or suspend the encryption while maintenance is performed.

If you do not configure this policy setting, users can use BitLocker on removable disk drives.

If you disable this policy setting, users cannot use BitLocker on removable disk drives.

None

This policy setting is used to control encryption method and cipher strength.

All drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy controls the encryption method for drives during encryption. By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher BitLocker uses for encryption. Enterprises may wish to control the encryption level for increased security (AES-256 is stronger than AES-128).

noteHinweis
Drives in the process of encrypting and drives already encrypted ignore this policy.

WarningWarnung
This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm and it is set by the drive during partitioning.

If you enable this policy setting, you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

If you disable or do not configure this policy setting, BitLocker will use the default encryption method of AES 128-bit or the encryption method specified by the setup script.

None

This policy controls how BitLocker reacts to systems equipped with encrypted drives when used as fixed data volumes.

Fixed

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computer that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

If you disable this policy setting, BitLocker cannot use hardware-based encryption with fixed data drives and BitLocker software-based encryption will be used by default when the drive in encrypted.

If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead.

noteHinweis
The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID) For example:

  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2

  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

None

This policy controls how BitLocker reacts to systems equipped with encrypted drives when used as operating system drives.

Operating System Drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computer that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive in encrypted.

If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead.

noteHinweis
The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID) For example:

  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2

  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

None

This policy controls how BitLocker reacts to systems equipped with encrypted drives when used as removable data drives.

Removable data drive

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computer that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

If you disable this policy setting, BitLocker cannot use hardware-based encryption with removable data drives and BitLocker software-based encryption will be used by default when the drive in encrypted.

If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead.

noteHinweis
The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID) For example:

  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2

  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

None

This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy will also cause the BitLocker wizard to skip the encryption options page so no encryption selection displays to the user.

noteHinweis
This policy is ignored when shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive using Used Disk Space Only encryption is expanded, the new free space is not wiped as it would be for a drive with Full Encryption. The user would need to wipe the free space on a Used Space Only drive using manage-bde, if desired, using the command: manage-bde -w. If the volume were shrunk, no action would be taken for the new free space.

Fixed data drive

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.

If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

None

This policy controls whether operating system drives utilize Used Space Only encryption or Full encryption. Setting this policy will also cause the BitLocker wizard to skip the encryption options page so no encryption selection displays to the user.

noteHinweis
This policy is ignored when shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive using Used Disk Space Only encryption is expanded, the new free space is not wiped as it would be for a drive with Full Encryption. The user would need to wipe the free space on a Used Space Only drive using manage-bde, if desired, using the command: manage-bde -w. If the volume were shrunk, no action would be taken for the new free space.

Operating system drive

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.

If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker

None

This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy will also cause the BitLocker wizard to skip the encryption options page so no encryption selection displays to the user.

noteHinweis
This policy is ignored when shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive using Used Disk Space Only encryption is expanded, the new free space is not wiped as it would be for a drive with Full Encryption. The user would need to wipe the free space on a Used Space Only drive using manage-bde, if desired, using the command: manage-bde -w. If the volume were shrunk, no action would be taken for the new free space.

Removable data drive

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.

If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker

None

This policy setting is used to configure recovery methods for operating system drives.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

The Allow certificate-based data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

noteHinweis
If the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

This policy setting is used to configure recovery methods drives on computers running Windows Server 2008 or Windows Vista.

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.

Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.

If you enable this policy setting, you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.

If you disable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to store recovery options.

ImportantWichtig
If TPM initialization is performed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker recovery information.

The 48-digit recovery password will not be available in FIPS-compliance mode.

This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

This policy setting is used to configure storage of BitLocker recovery information in AD DS.

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting allows you to manage the AD DS backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy is only applicable to computers running Windows Server 2008 or Windows Vista.

If you enable this policy setting, BitLocker recovery information will be automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.

BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.

If you select Require BitLocker backup to AD DS, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup.

If you disable or do not configure this policy setting, BitLocker recovery information will not be backed up to AD DS.

TPM initialization may be needed during BitLocker setup. Enable the Turn on TPM backup to Active Directory Domain Services policy setting in Computer Configuration\Administrative Templates\System\Trusted Platform Module Services to ensure that TPM information is also backed up.

If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. For more information, see Backing Up BitLocker and TPM Recovery Information to AD DS.

None

This policy setting is used to configure the default folder for recovery passwords.

All drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, you can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify either a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker setup wizard will display the computer's top-level folder view.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.

noteHinweis
This policy setting does not prevent the user from saving the recovery password in another folder.

None

This policy setting is used to configure recovery methods for fixed data drives.

Fixed data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Doman Services, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted using the Repair-bde command-line tool. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

noteHinweis
If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

This policy setting is used to configure recovery methods for removable data drives.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for removable data drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

noteHinweis
If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected removable data drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

This policy controls how BitLocker enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies BCD settings according to the Secure Boot policy.

All drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

If you enable or do not configure this policy setting, BitLocker will use Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.

If you disable this policy setting, BitLocker will use legacy platform integrity validation, even on systems capable of Secure Boot-based integrity validation.

When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the Use enhanced Boot Configuration Data validation profile group policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.

If the Group Policy setting Configure TPM platform validation profile for native UEFI firmware configurations is enabled and has PCR 7 omitted, BitLocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

This policy setting is used to establish an identifier that is applied to all drives encrypted in your organization.

All drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will manage and update data recovery agents only when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will update the BitLocker To Go Reader only when the identification field on the drive matches the value configured for the identification field.

The allowed identification field is used in combination with the Deny write access to removable drives not protected by BitLocker policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or other external organizations.

You can configure the identification fields on existing drives by using the Manage-bde command-line tool.

If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.

When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.

Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value of 260 characters or fewer.

If you disable or do not configure this policy setting, the identification field is not required.

Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will manage and update certificate-based data recovery agents only when the identification field is present on a drive and is identical to the value configured on the computer.

The policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.

All drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled.

If you enable this policy setting, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase the risk of exposing BitLocker secrets.

If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.

None

This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure how the computer's TPM security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

ImportantWichtig
This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with a CSM enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting to configure the TPM PCR profile for computers using native UEFI firmware.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:

  • Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)

  • Option ROM Code (PCR 2)

  • Master Boot Record (MBR) Code (PCR 4)

  • NTFS Boot Sector (PCR 8)

  • NTFS Boot Block (PCR 9)

  • Boot Manager (PCR 10)

  • BitLocker Access Control (PCR 11)

noteHinweis
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

The following list identifies all of the PCRs available:

  • PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions

  • PCR 1: Platform and motherboard configuration and data.

  • PCR 2: Option ROM code

  • PCR 3: Option ROM data and configuration

  • PCR 4: Master Boot Record (MBR) code

  • PCR 5: Master Boot Record (MBR) partition table

  • PCR 6: State transition and wake events

  • PCR 7: Computer manufacturer-specific

  • PCR 8: NTFS boot sector

  • PCR 9: NTFS boot block

  • PCR 10: Boot manager

  • PCR 11: BitLocker access control

  • PCR 12-23: Reserved for future use

WarningWarnung
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

None

This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure how the computer's TPM security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:

  • Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)

  • Option ROM Code (PCR 2)

  • Master Boot Record (MBR) Code (PCR 4)

  • NTFS Boot Sector (PCR 8)

  • NTFS Boot Block (PCR 9)

  • Boot Manager (PCR 10)

  • BitLocker Access Control (PCR 11)

noteHinweis
The default TPM Validation Profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.

The following list identifies all of the PCRs available:

  • PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code

  • PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration

  • PCR 2: Option ROM code

  • PCR 3: Option ROM data and configuration

  • PCR 4: Master Boot Record (MBR) code or code from other boot devices

  • PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table

  • PCR 6: State transition and wake events

  • PCR 7: Computer manufacturer-specific

  • PCR 8: NTFS boot sector

  • PCR 9: NTFS boot block

  • PCR 10: Boot manager

  • PCR 11: BitLocker access control

  • PCR 12 - 23: Reserved for future use

WarningWarnung
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

None

This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

ImportantWichtig
This group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for BIOS-based firmware configurations" group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM enabled.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).

The following list identifies all of the PCRs available:

  • PCR 0: Core System Firmware executable code

  • PCR 1: Core System Firmware data

  • PCR 2: Extended or pluggable executable code

  • PCR 3: Extended or pluggable firmware data

  • PCR 4: Boot Manager

  • PCR 5: GPT/Partition Table

  • PCR 6: Resume from S4 and S5 Power State Events

  • PCR 7: Secure Boot State

  • PCR 8: Initialized to 0 with no Extends (reserved for future use)

  • PCR 9: Initialized to 0 with no Extends (reserved for future use)

  • PCR 10: Initialized to 0 with no Extends (reserved for future use)

  • PCR 11: BitLocker access control

  • PCR 12: Data events and highly volatile events

  • PCR 13: Boot Module Details

  • PCR 14: Boot Authorities

  • PCR 15 – 23: Reserved for future use

WarningWarnung
Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

Setting this policy with PCR 7 omitted, will override the Allow Secure Boot for integrity validation Group Policy setting, preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

If your environments will be using both TPM and Secure Boot for platform integrity checks, this policy should be left Not Configured.

This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.

If you disable this policy setting, platform validation data will not be refreshed when Windows is started following BitLocker recovery.

If you do not configure this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.

None

This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.

Operating system drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

If you enable this policy setting, you will be able to add additional BCD settings to verify, exclude the BCD settings you specify, or combine both inclusion and exclusion lists to create a customized BCD validation profile.

If you disable this policy setting, the computer will revert to a BCD profile validation similar to the default BCD profile used by Windows 7.

If you do not configure this policy setting, the computer will verify the default Windows BCD settings.

noteHinweis
The setting that controls boot debugging (0x16000010) will always be validated and will have no effect if it is included in either the inclusion or the exclusion list.

When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, as defined by the Allow Secure Boot for integrity validation Group Policy setting, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored.

This policy setting is used to control whether access to drives by using the BitLocker To Go Reader is allowed and if the application is installed to the drive.

Fixed data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

This policy setting configures whether fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.

If this policy setting is enabled or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted fixed drives check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the Provide unique identifiers for your organization policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader will be deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

noteHinweis
This policy setting does not apply to drives that are formatted with the NTFS file system.

None

This policy setting controls access to removable data drives using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed to the drive.

Removable data drives

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

This policy setting configures whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 operating systems.

If this policy setting is enabled or not configured, removable data drives formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted removable drives check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the Provide unique identifiers for your organization policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader will be deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

noteHinweis
This policy setting does not apply to drives that are formatted with the NTFS file system.

None

You can configure the Federal Information Processing Standard (FIPS) settings for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.

ImportantWichtig
If you enable this setting, users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption wizard to create a recovery password.

You can save the optional recovery key to a USB flash drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error will be caused if AD DS backup is required by Group Policy.

You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform either of these procedures.

The FIPS setting is located in the Security Policy Editor at Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

PCs default power settings will cause the computer to enter Sleep frequently to conserve power when idle and help extend system battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When resuming from Sleep, users are not required to re-authenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. However, when a computer hibernates the drive is locked and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations using BitLocker may wish to use Hibernate instead of Sleep for improved security. This setting does not have an impact on TPM-only mode, because it provides transparent user experience at startup and resuming from Hibernate states.

You can use the following Group Policy settings located in Computer Configuration\Policies\Administrative Templates\System\Power Management to disable all available sleep states:

 

Setting Configuration

Allow Standby States (S1-S3) When Sleeping (Plugged In)

Disabled

Allow Standby States (S1-S3) When Sleeping (Battery)

Disabled

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Anzeigen:
© 2014 Microsoft