Global

Choose drive encryption method and cipher strength

Set to not configured.

Global

Prevent memory overwrite on restart

Set to not configured.

Global

Provide the unique identifiers for your organization

Set to enabled, and enter an identifier in the BitLocker identification field.

Operating system drives

Choose how BitLocker-protected operating system drives can be recovered

Set to enabled, save BitLocker recovery information to Active Directory Domain Services (AD DS) for operating system drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for operating system drives, and omit recovery options from the BitLocker setup wizard.

For more information about storing BitLocker recovery information in AD DS, see Backing Up BitLocker and TPM Recovery Information to AD DS.

Operating system drives

Configure minimum PIN length for startup

Set to enabled, and require a personal identification number (PIN) of at least seven numerals.

Operating system drives

Require additional authentication at startup

Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM).

Fixed data drives

Choose how BitLocker-protected fixed drives can be recovered

Set to enabled, save BitLocker recovery information to AD DS for fixed data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.

Fixed data drives

Configure use of passwords for fixed data drives

If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters.

Fixed data drives

Configure use of smart cards on fixed data drives

If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives.

Removable data drives

Choose how BitLocker-protected removable drives can be recovered

Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.

Removable data drives

Configure use of passwords for removable data drives

Set to enabled, set a minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista.

Removable data drives

Configure use of smart cards on removable data drives

Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI.

Removable data drives

Control use of BitLocker on removable drives

Set to enabled, and allow users to apply BitLocker protection on removable drives.

Removable data drives

Deny write access to removable data drives not protected by BitLocker

Set to enabled, and disallow write access to devices configured in another organization.

Note
This policy cannot be enabled if your organization uses recovery keys or startup keys. Recovery keys and startup keys must be stored on unencrypted USB drives.

Provide end-user training before requiring BitLocker use on desktop and mobile computers.

Using BitLocker to protect drives will require users to change how they interact with their computers. For example, if you decide to require a startup PIN and USB key to unlock the operating system drive, instruct users not to record the PIN that they use for BitLocker authentication in an easily accessed location, such as a note under the keyboard or inside a laptop case, and not to leave a USB flash drive containing the startup key connected to the computer or stored in the same location as the computer. Create policies for the use of recovery keys and inform users of the recovery process decided upon for your organization. If you plan to use password protection for BitLocker on removable drives, inform users of the password requirements in advance so that they can prepare a strategy for remembering their passwords before they configure BitLocker.

Use multifactor authentication on operating system drives.

Using multifactor authentication increases drive security. Operating system drives can be authenticated by using any of the following key protector combinations:

• TPM (version 1.2) and PIN
  
  
• TPM and startup key stored on a USB flash drive
  
  
• TPM, startup key, and PIN
  
  

Store recovery information in AD DS.

If you choose to store recovery information on an NTFS hard drive, the recovery information might be obtained by untrusted individuals who were able to gain access to the hard drive and then used to unlock the BitLocker-protected drive. By storing recovery information in AD DS, the user must be able to be authenticated by the domain as a data recovery agent to obtain the recovery information for the drive.

Suspend and resume BitLocker protection immediately following recovery of an operating system drive.

When access to an operating system drive is recovered, the recovery key is stored unencrypted on the hard disk, and the drive will be unprotected until you suspend and resume BitLocker.

Disable the use of standby mode for portable computers if you are using BitLocker on operating system drives. To do this, open the Local Group Policy Editor. Under Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings, set Allow Standby States (S1-S3) When Sleeping (Plugged In) to Disabled, and then set Allow Standby States (S1-S3) When Sleeping (On Battery) to Disabled.

BitLocker protection is in effect only when the computer is turned off or in hibernation.

If there is any concern that BitLocker keys have been compromised, it is recommended that you either format the drive to remove all instances of the BitLocker metadata from the drive or that you decrypt and encrypt the entire drive again.

Note
Deleting the partition by using the Virtual Disk service does not invalidate the BitLocker metadata.

The BitLocker metadata must be removed before new BitLocker keys will be created.

Encrypt drives prior to writing sensitive data to them when possible.

Some wear-leveling algorithms used by flash-based memory drives could expose data stored in plaintext. Encrypting the drive prior to writing sensitive data to it ensures the data is never stored in plaintext.