What are the Microsoft Recommended GPO's for handling Azure Disk Encryption Recovery Keys for Windows?

Michael Dubissette 1 Reputation point
2021-09-30T19:47:11.227+00:00

Hello. I have a Windows Server 2016 VM that is Domain Joined within Azure. I'm wondering what are the Microsoft recommended ADDS GPO's for Azure Disk Encryption to handle the recovery keys with the following below I'm considering based on my research:

  1. Allow BitLocker without a compatible TPM (Will require configuring PIN/PASSWORD protector)
  2. Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key
  3. Configure ADDS GPOs or third party to store recovery keys

They're are a number of Bitlocker GPO's as contained within the following:

https://learn.microsoft.com/en-us/azure/virtual-machines/Windows/disk-encryption-overview#group-policy-requirements

https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol1

Because this is a server, I'm trying to avoid a "full bitlocker" implementation just for ADE and looking for minimum GPO's to address Azure ADE requirements and handle Azure recovery keys.

Thanks

Mark

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
160 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Dubissette 1 Reputation point
    2021-10-01T16:54:28.983+00:00

    Thank you

    0 comments