Configure BitLocker

To configure BitLocker, you can use one of the following options:

  • Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The BitLocker CSP is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in compliance policies, combining them with Conditional Access. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
  • Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
  • Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see Deploy BitLocker management

Note

Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.

While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the section BitLocker policy settings.

Windows edition and licensing requirements

The following table lists the Windows editions that support BitLocker management:

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
Yes Yes Yes Yes

BitLocker management license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
No Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

BitLocker policy settings

This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).

Important

Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.

Policy settings list

The list of settings is sorted alphabetically and organized in four categories:

  • Common settings: settings applicable to all BitLocker-protected drives
  • Operating system drive: settings applicable to the drive where Windows is installed
  • Fixed data drives: settings applicable to any local drives, except the operating system drive
  • Removable data drives: settings applicable to any removable drives

Select one of the tabs to see the list of available settings:

The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.

Policy name CSP GPO
Allow standard user encryption
Choose default folder for recovery password
Choose drive encryption method and cipher strength
Configure recovery password rotation
Disable new DMA devices when this computer is locked
Prevent memory overwrite on restart
Provide the unique identifiers for your organization
Require device encryption
Validate smart card certificate usage rule compliance

Allow standard user encryption

With this policy you can enforce the Require device encryption policy for scenarios where the policy is applied while the current logged-on user doesn't have administrative rights.

Important

The Allow warning for other disk encryption policy must be disabled to allow standard user encryption.

Path
CSP ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
GPO Not available

Choose default folder for recovery password

Specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. You can specify either a fully qualified path or include the target computer's environment variables in the path:

  • If the path isn't valid, the BitLocker setup wizard displays the computer's top-level folder view
  • If you disable or don't configure this policy setting, the BitLocker setup wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder

Note

This policy setting does not prevent the user from saving the recovery password in another folder.

Path
CSP Not available
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

Choose drive encryption method and cipher strength

With this policy, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.

Recommended settings: XTS-AES algorithm for all drives. The choice of key size, 128 bit or 256 bit depends on the performance of the device. For more performant hard drives and CPU, choose 256-bit key, for less performant ones use 128.

Important

Key size might be required by regulators or industry.

If you disable or don't configure this policy setting, BitLocker uses the default encryption method of XTS-AES 128-bit.

Note

This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.

Path
CSP ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

Configure recovery password rotation

With this policy you can configure a numeric recovery password rotation upon use for OS and fixed drives on Microsoft Entra joined and Microsoft Entra hybrid joined devices.

Possible values are:

  • 0: numeric recovery password rotation is turned off
  • 1: numeric recovery password rotation upon use is on for Microsoft Entra joined devices. This is also the default value
  • 2: numeric recovery password rotation upon use is on for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices

Note

The Policy is effective only when Micropsoft Entra ID or Active Directory backup for recovery password is configured to required

  • For OS drive: enable Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
  • For fixed drives: enable "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
Path
CSP ./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
GPO Not available

Disable new DMA devices when this computer is locked

When enabled, this policy setting blocks direct memory access (DMA) for all hot pluggable PCI ports until a user signs into Windows.

Once a user signs in, Windows enumerates the PCI devices connected to the host Thunderbolt PCI ports. Every time the user locks the device, DMA is blocked on hot plug Thunderbolt PCI ports with no children devices, until the user signs in again.

Devices that were already enumerated when the device was unlocked will continue to function until unplugged, or the system is rebooted or hibernated.

This policy setting is only enforced when BitLocker or device encryption is enabled.

Important

This policy is not compatible with Kernel DMA Protection. It's recommended to disable this policy if the system supports Kernel DMA Protection, as Kernel DMA Protection provides higher security for the system. For more information about Kernel DMA Protection, see Kernel DMA Protection.

Path
CSP Not available
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

Prevent memory overwrite on restart

This policy setting is used to control whether the computer's memory is overwritten when the device restarts. BitLocker secrets include key material used to encrypt data.

  • If you enable this policy setting, memory isn't overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but increases the risk of exposing BitLocker secrets.
  • If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.

Note

This policy setting applies only when BitLocker protection is enabled.

Path
CSP Not available
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

Provide the unique identifiers for your organization

This policy setting allows you to associate unique organizational identifiers to a drive that is encrypted with BitLocker. The identifiers are stored as the identification field and allowed identification field:

  • The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the BitLocker Drive Encryption: Configuration Tool (manage-bde.exe)
  • The allowed identification field is used in combination with the Deny write access to removable drives not protected by BitLocker policy setting to help control the use of removable drives in your organization. It's a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using manage-bde.exe.

If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled device, the identification field and allowed identification field are used to determine whether the drive is from a different organization.

If you disable or don't configure this policy setting, the identification field is not required.

Important

Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker only manages and updates certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the device. The identification field can be any value of 260 characters or fewer.

Path
CSP ./Device/Vendor/MSFT/BitLocker/IdentificationField
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

Require device encryption

This policy setting determines whether BitLocker is required:

  • If enabled, encryption is triggered on all drives silently or non-silently based on Allow warning for other disk encryption policy
  • If disabled, BitLocker isn't turned off for the system drive, but it stops prompting the user to turn BitLocker on.

Note

Typically, BitLocker follows the Choose drive encryption method and cipher strength policy configuration. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.

Encryptable fixed data volumes are treated similarly to OS volumes, but they must meet other criteria to be encryptable:

  • It must not be a dynamic volume
  • It must not be a recovery partition
  • It must not be a hidden volume
  • It must not be a system partition
  • It must not be backed by virtual storage
  • It must not have a reference in the BCD store

Note

Only full disk encryption is supported when using this policy for silent encryption. For non-silent encryption, encryption type will depend on the Enforce drive encryption type on operating system drives and Enforce drive encryption type on fixed data drives policies configured on the device.

Path
CSP ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
GPO Not available

Validate smart card certificate usage rule compliance

This policy setting is used to determine which certificate to use with BitLocker by associating an object identifier (OID) from a smart card certificate to a BitLocker-protected drive. The object identifier is specified in the enhanced key usage (EKU) of a certificate.

BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default OID is 1.3.6.1.4.1.311.67.1.1.

If you enable this policy setting, the object identifier specified in the Object identifier field must match the object identifier in the smart card certificate. If you disable or don't configure this policy setting, the default OID is used.

Note

BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.

Path
CSP Not available
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

BitLocker and policy settings compliance

If a device isn't compliant with the configured policy settings, BitLocker might not be turned on, or BitLocker configuration might be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.

If multiple changes are necessary to bring the drive into compliance, BitLocker protection might need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.

In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker might need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.

To learn more how to manage BitLocker, review the BitLocker operations guide.

Configure and manage servers

Servers are often deployed, configured, and managed using PowerShell. The recommendation is to use group policy settings to configure BitLocker on servers, and to manage BitLocker using PowerShell.

BitLocker is an optional component in Windows Server. Follow the directions in Install BitLocker on Windows Server to add the BitLocker optional component.

The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a Server Core installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in Using Features on Demand with Updated Systems and Patched Images and How to update local source media to add roles and features. If a server is installed manually, then choosing Server with Desktop Experience is the easiest path because it avoids performing the steps to add a GUI to Server Core.

Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see Network Unlock.

Next steps

Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.

BitLocker operations guide >