Bitlocker/TPM/Group Policy Settings

Dj Dimick 1 Reputation point

I am looking at how to configure the combination of the three technologies mentioned above to achieve the following goals.

Encrypt OS Drive with bit locker using PIN's as well as a Recovery Key as a backup (this has been done).
When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
I also do not want them to be able to skip the drive and get into other options that would make things complicated.  

We are currently using Sophos to manage most of out Bitlockered devices, but this is becoming a major problem most of the time. We are working toward migrating to managing the Bitlocker information ourselves in Active Directory.

Any help would be be much appreciated.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,962 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Teemo Tang 11,366 Reputation points

    From within GPME, select Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
    You can now go through the available policies and configure them to meet the requirements of your environment. Some useful policy setting that you may wish to adjust include:

    1.Store BitLocker recovery information in Active Directory: With this policy enabled it will only be possible to enable BitLocker if an Active Directory domain controller is available so that the recovery key can be stored there. If a domain controller is not available, BitLocker will not enable. This allows you to centrally manage BitLocker recovery keys as they will be stored in Active Directory.
    2.Choose drive encryption method and cipher strength: By default for Windows 10 this will set XTS-AES 128-bit encryption, this can be modified to XTS-AES 256-bit instead for higher protection.
    3.Require additional authentication at startup: Rather than only using one authentication method such as TPM, this policy can be enabled to instead require both TPM and a PIN, TPM and a startup key, or TPM with a startup key and PIN.
    4.Allow enhanced PINs for startup: Enhanced PINs allow you to use additional characters such as uppercase, lowercase, numbers and symbols and should be turned on by default. It allows for stronger PINs to be set.
    5.Configure minimum PIN length for startup: This allows you to configure the minimum PIN length, which can ensure that your users are forced to set strong BitLocker PINs.

    About your concern: When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
    It doesn’t need to worry, after too many PIN entry attempts, TPM chip thinks it’s being threatened and therefore has locked itself, preventing the PIN entry (which you’re most likely typing in correctly) from unlocking the drive.


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Dj Dimick 1 Reputation point

    I have not heard anything in a while is there anywhere that someone could point me in trying to get this figured out?

    0 comments No comments

  3. Teemo Tang 11,366 Reputation points

    “Currently I can type in the PIN incorrectly an infinite number of times or at least a lot and it does not lock out the TPM chip it appears. I need to have it set so that it does this to help limit the Brute Force attacks on our encrypted devices.”
    Current group policies setting cannot meet your demand, you could open a support ticket with Microsoft for deep research.

    0 comments No comments