BitLocker Group Policy Settings

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.

Overview

To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.

Note

A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see Trusted Platform Module Services Group Policy Settings.

BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.

If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the Manage-bde command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.

BitLocker Group Policy settings

The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.

The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.

The following policy settings determine the encryption methods and encryption types that are used with BitLocker.

The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

The following policies are used to support customized deployment scenarios in your organization.

Allow network unlock at startup

This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the Public Key Policies folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.

Policy description

With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.

When disabled or not configured

Clients cannot create and use Network Key Protectors

Reference

To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.

Note

For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.

For more information about Network Unlock, see BitLocker: How to enable Network Unlock.

Require additional authentication at startup

This policy setting is used to control which unlock options are available for operating system drives.

Policy description

With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

If one authentication method is required, the other methods cannot be allowed.

Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When enabled

Users can configure advanced startup options in the BitLocker Setup Wizard.

When disabled or not configured

Users can configure only basic options on computers with a TPM.

Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.

Reference

If you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:

  • only the TPM for authentication

  • insertion of a USB flash drive containing the startup key

  • the entry of a 4-digit to 20-digit personal identification number (PIN)

  • a combination of the PIN and the USB flash drive

There are four options for TPM-enabled computers or devices:

  • Configure TPM startup

    • Allow TPM

    • Require TPM

    • Do not allow TPM

  • Configure TPM startup PIN

    • Allow startup PIN with TPM

    • Require startup PIN with TPM

    • Do not allow startup PIN with TPM

  • Configure TPM startup key

    • Allow startup key with TPM

    • Require startup key with TPM

    • Do not allow startup key with TPM

  • Configure TPM startup key and PIN

    • Allow TPM startup key with PIN

    • Require startup key and PIN with TPM

    • Do not allow TPM startup key with PIN

Allow enhanced PINs for startup

This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.

Policy description

With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.

When disabled or not configured

Enhanced PINs will not be used.

Reference

Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.

Important

Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.

Configure minimum PIN length for startup

This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.

Policy description

With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits.

Introduced

Windows Server 2008 R2 and Windows 7

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

You can require that users enter a minimum number of digits to when setting their startup PINs.

When disabled or not configured

Users can configure a startup PIN of any length between 4 and 20 digits.

Reference

This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

Disallow standard users from changing the PIN or password

This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.

Policy description

With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.

Introduced

Windows Server 2012 and Windows 8

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Conflicts

None

When enabled

Standard users are not allowed to change BitLocker PINs or passwords.

When disabled or not configured

Standard users are permitted to change BitLocker PINs or passwords.

Reference

To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.

Configure use of passwords for operating system drives

This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the Password must meet complexity requirements policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose Require password complexity because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.

For more information, see Password must meet complexity requirements.

Note

Policy description