fbpx
Posted on by harlan

Bitlocker GPO Settings

Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
System/Removable Storage Access
POLICY SETTING COMMENT
Removable Disks: Deny write access Disabled
System/Trusted Platform Module Services
POLICY SETTING COMMENT
Turn on TPM backup to Active Directory Domain Services Enabled
Require TPM backup to AD DS Enabled
If selected, cannot set or change TPM owner password
if backup fails (recommended default).
If not selected, can set or change TPM owner password
even if backup fails. Backup is not automatically retried.
Windows Components/BitLocker Drive Encryption
POLICY SETTING COMMENT
Choose default folder for recovery password Enabled
Configure the default folder path: \your-domain.comdfsusers%USERNAME%
Specify a fully qualified path or include the computer’s environment variables in the path.
For example, enter “\serverbackupfolder”, or “%SecureDriveEnvironmentVariable%backupfolder”
Note: In all cases, the user will be able to select other folders in which to save the recovery password.
POLICY SETTING COMMENT
Choose drive encryption method and cipher strength Enabled
Select the encryption method: AES 256-bit with Diffuser
POLICY SETTING COMMENT
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) Enabled
Important: To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options below, you must enable backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
Configure 48-digit recovery password: Require recovery password (default)
Configure 256-bit recovery key: Require recovery key (default)
Note: If you do not allow the recovery password and require the recovery key, users cannot enable BitLocker without saving to USB.
POLICY SETTING COMMENT
Prevent memory overwrite on restart Disabled
Provide the unique identifiers for your organization Enabled
BitLocker identification field: Your Company Name, Inc.
Allowed BitLocker identification field: Your Shorthand Company Name
POLICY SETTING COMMENT
Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista) Enabled
Require BitLocker backup to AD DS Enabled
If selected, cannot turn on BitLocker if backup fails (recommended default).
If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.
Select BitLocker recovery information to store: Recovery passwords and key packages
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.
A key package contains a drive’s BitLocker encryption key secured by one or more recovery passwords
Key packages may help perform specialized recovery when the disk is damaged or corrupted.
Windows Components/BitLocker Drive Encryption/Fixed Data Drives
POLICY SETTING COMMENT
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows Enabled
Do not install BitLocker To Go Reader on FAT formatted fixed drives Disabled
POLICY SETTING COMMENT
Choose how BitLocker-protected fixed drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Enabled
POLICY SETTING COMMENT
Configure use of passwords for fixed data drives Enabled
Require password for fixed data drive Enabled
Configure password complexity for fixed data drives: Allow password complexity
Minimum password length for fixed data drive: 8
Note: You must enable the “Password must meet complexity requirements” policy setting for the password complexity setting to take effect.
POLICY SETTING COMMENT
Deny write access to fixed drives not protected by BitLocker Enabled
Windows Components/BitLocker Drive Encryption/Operating System Drives
POLICY SETTING COMMENT
Allow enhanced PINs for startup Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for operating system drives Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives Enabled
POLICY SETTING COMMENT
Configure minimum PIN length for startup Enabled
Minimum characters: 4
POLICY SETTING COMMENT
Require additional authentication at startup Enabled
Allow BitLocker without a compatible TPM Enabled
(requires a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
POLICY SETTING COMMENT
Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM Enabled
(requires a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.
If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.
Windows Components/BitLocker Drive Encryption/Removable Data Drives
POLICY SETTING COMMENT
Allow access to BitLocker-protected removable data drives from earlier versions of Windows Enabled
Do not install BitLocker To Go Reader on FAT formatted removable drives Disabled
POLICY SETTING COMMENT
Choose how BitLocker-protected removable drives can be recovered Enabled
Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard Disabled
Save BitLocker recovery information to AD DS for removable data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives Enabled
POLICY SETTING COMMENT
Configure use of passwords for removable data drives Enabled
Require password for removable data drive Enabled
Configure password complexity for removable data drives: Allow password complexity
Minimum password length for removable data drive: 8
Note: You must enable the “Password must meet complexity requirements” policy setting for the password complexity setting to take effect.
POLICY SETTING COMMENT
Control use of BitLocker on removable drives Enabled
Allow users to apply BitLocker protection on removable data drives Enabled
Allow users to suspend and decrypt BitLocker protection on removable data drives Enabled
POLICY SETTING COMMENT
Deny write access to removable drives not protected by BitLocker Disabled

Leave a Reply

Your email address will not be published. Required fields are marked *