This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 18%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
I am looking at how to configure the combination of the three technologies mentioned above to achieve the following goals.
Encrypt OS Drive with bit locker using PIN's as well as a Recovery Key as a backup (this has been done).
When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
I also do not want them to be able to skip the drive and get into other options that would make things complicated.
We are currently using Sophos to manage most of out Bitlockered devices, but this is becoming a major problem most of the time. We are working toward migrating to managing the Bitlocker information ourselves in Active Directory.
Any help would be be much appreciated.
From within GPME, select Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
You can now go through the available policies and configure them to meet the requirements of your environment. Some useful policy setting that you may wish to adjust include:
1.Store BitLocker recovery information in Active Directory: With this policy enabled it will only be possible to enable BitLocker if an Active Directory domain controller is available so that the recovery key can be stored there. If a domain controller is not available, BitLocker will not enable. This allows you to centrally manage BitLocker recovery keys as they will be stored in Active Directory.
2.Choose drive encryption method and cipher strength: By default for Windows 10 this will set XTS-AES 128-bit encryption, this can be modified to XTS-AES 256-bit instead for higher protection.
3.Require additional authentication at startup: Rather than only using one authentication method such as TPM, this policy can be enabled to instead require both TPM and a PIN, TPM and a startup key, or TPM with a startup key and PIN.
4.Allow enhanced PINs for startup: Enhanced PINs allow you to use additional characters such as uppercase, lowercase, numbers and symbols and should be turned on by default. It allows for stronger PINs to be set.
5.Configure minimum PIN length for startup: This allows you to configure the minimum PIN length, which can ensure that your users are forced to set strong BitLocker PINs.
About your concern: When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
It doesn’t need to worry, after too many PIN entry attempts, TPM chip thinks it’s being threatened and therefore has locked itself, preventing the PIN entry (which you’re most likely typing in correctly) from unlocking the drive.
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
So far the behavior is not what I am looking for.
Sophos currently is set that when a user types in the PIN incorrectly they then need the full Recovery Key. I am looking for the policies to set in Group Policy to mimic this behavior. Currently I can type in the PIN incorrectly an infinite number of times or at least a lot and it does not lock out the TPM chip it appears. I need to have it set so that it does this to help limit the Brute Force attacks on our encrypted devices.
All of the rest of that information is currently how things are set and thus far it is working the way we would expect it to except for that last little piece of this puzzle.
I have not heard anything in a while is there anywhere that someone could point me in trying to get this figured out?
“Currently I can type in the PIN incorrectly an infinite number of times or at least a lot and it does not lock out the TPM chip it appears. I need to have it set so that it does this to help limit the Brute Force attacks on our encrypted devices.”
Current group policies setting cannot meet your demand, you could open a support ticket with Microsoft for deep research.
https://support.serviceshub.microsoft.com/supportforbusiness