BitLocker Group Policy Reference

Applies To: Windows 7, Windows Server 2008 R2

BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization and then applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the Manage-bde command-line tool, the password unlock method deleted, and the smart card method added. After this is completed, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. For more information about using the Manage-bde command-line tool, see the Manage-bde.exe Parameter Reference.

The following sections provide a comprehensive list of policy settings organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

  • Drive access and BitLocker use

  • Drive access and BitLocker use

  • Encryption strength

  • Drive recovery

  • Deployment options

Each section lists the policy settings that affect the type of usage and provides a reference to the uses of the policy setting, which drive type it is used with, the policy setting path, the policy setting description, and any areas of potential conflict if you enable the policy setting.

Unlock methods

The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.

  • Require additional authentication at startup

  • Allow enhanced PINs for startup

  • Configure minimum PIN length

  • Require additional authentication at startup (Windows Server 2008 and Windows Vista)

  • Configure use of smart cards on fixed data drives

  • Configure use of passwords on fixed data drives

  • Configure use of smart cards on removable data drives

  • Configure use of passwords on removable data drives

  • Validate smart card certificate usage rule compliance

Require additional authentication at startup

This policy setting is used to control what unlock options are available for Windows 7 operating system drives.

Drive type

Operating system drives (Windows 7 and Windows Server 2008 R2)

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

If you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a USB drive is required for startup and the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, the computer can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note

Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.
If you want to use both a startup PIN and a USB flash drive for authentication before unlocking the operating system drive, you must use the Manage-bde command-line tool to turn on BitLocker instead of the BitLocker Drive Encryption setup wizard. In this situation, this policy setting should remain as not configured.

Conflicts

If one authentication method is required, the other methods cannot be allowed.

Use of BitLocker without a compatible TPM, TPM startup key, or TPM startup key and PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

Allow enhanced PINs for startup

This policy setting permits the use of enhanced PINs when using an unlock method that includes a PIN.

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to configure whether enhanced startup PINs are used with BitLocker.

Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. Existing drives that were protected by using a standard startup PIN are not affected.

Important

Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during BitLocker setup to verify that enhanced PIN characters can be used.

If you disable or do not configure this policy setting, enhanced PINs will not be used.

Conflicts

None

Configure minimum PIN length

This policy setting is used to set a minimum PIN length when using an unlock method that includes a PIN.

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.

Conflicts

None

Require additional authentication at startup (Windows Server 2008 and Windows Vista)

This policy setting is used to control what unlock options are available for computers running either Windows Server 2008 or Windows Vista.

Drive type

Operating system drives (Windows Server 2008 and Windows Vista)

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard on computers running Windows Vista or Windows Server 2008 will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.

On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN.

A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.

If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

Conflicts

If you choose to require an additional authentication method, others authentication methods cannot be allowed.

Configure use of smart cards on fixed data drives

This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Description

This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

If you enable this policy setting, smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

Note

These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives.

If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.

Conflicts

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

Configure use of passwords on fixed data drives

This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Description

This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements must be also enabled.

Note

These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

When set to Require complexity, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to Allow complexity, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of the actual password complexity and the drive will be encrypted by using that password as a protector. When set to Do not allow complexity, no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the Minimum password length box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

Important

Passwords cannot be used if FIPS compliance is enabled. The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.

Conflicts

To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

This policy setting is configured on a per-computer basis. This means that it will apply to both local user accounts and domain user accounts. Because the password filter used to validate password complexity is located on the domain controllers of the domain, local user accounts will not be able to access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you are logged on with a local user account and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.

Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.

Configure use of smart cards on removable data drives

This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

If you enable this policy setting, smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

Note

These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

If you do not configure this policy setting, smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

Conflicts

To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

Configure use of passwords on removable data drives

This policy setting is used to require, allow, or deny the use of passwords with removable data drives.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting Password must meet complexity requirements located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

Note

These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements that you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

When set to Require complexity, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to Allow complexity, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector. When set to Do not allow complexity, no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the Minimum password length box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

Note

Passwords cannot be used if FIPS compliance is enabled. The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS compliance is enabled.

Conflicts

To use password complexity, the Password must meet complexity requirements policy setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

Validate smart card certificate usage rule compliance

This policy setting is used to determine what certificate to use with BitLocker.

Drive type

Fixed and removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker.

The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.

The default object identifier is 1.3.6.1.4.1.311.67.1.1.

Note

BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.

If you enable this policy setting, the object identifier specified in the Object identifier setting must match the object identifier in the smart card certificate.

If you disable or do not configure this policy setting, the default object identifier is used.

Conflicts

None

Drive access and BitLocker use

The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.

  • Deny write access to fixed drives not protected by BitLocker

  • Deny write access to removable drives not protected by BitLocker

  • Control use of BitLocker on removable drives

Deny write access to fixed drives not protected by BitLocker

This policy setting is used to require encryption of fixed drives prior to granting write access.

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Description

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

Conflicts

When this policy setting is enabled, users will receive "Access denied" error messages when they try to save to unencrypted fixed data drives.

If BdeHdCfg is run on a computer when this policy setting is enabled, you may encounter the following issues:

  • If you attempted to shrink the drive and create the system drive, the drive size will be successfully reduced and a raw partition created. However, the RAW partition will not be formatted. The following error message is displayed: "The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker."

  • If you attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active Drive cannot be formatted. You may need to manually prepare your drive for BitLocker."

  • If you attempted to merge an existing drive into the system drive, the tool will fail to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."

If this policy setting is being enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows and those computers were configured with a single partition, you should create the required BitLocker system partition before applying the policy setting to the computers.

Deny write access to removable drives not protected by BitLocker

This policy setting is used to require encryption of removable drives prior to granting write access and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with write access.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If the Deny write access to devices configured in another organization option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for a valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting.

If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

Note

This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the Removable Disks: Deny write access policy setting is enabled, this policy setting will be ignored.

Conflicts

Use of BitLocker without a compatible TPM, TPM + startup key, or TPM + PIN + startup key must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

You must enable the Provide the unique identifiers for your organization policy setting if you want to deny write access to drives configured in another organization.

Control use of BitLocker on removable drives

This policy setting is used to prevent standard user account from being able to turn BitLocker on or off on removable data drives.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.

When this policy setting is enabled, you can select property settings that control how users can configure BitLocker. Choose Allow users to apply BitLocker protection on removable data drives to permit the user to run the BitLocker setup wizard on a removable data drive. Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker Drive Encryption from the drive or suspend the encryption while maintenance is performed.

If you do not configure this policy setting, users can use BitLocker on removable disk drives.

If you disable this policy setting, users cannot use BitLocker on removable disk drives.

Conflicts

None

Encryption strength

The following policy setting determines the encryption method used with BitLocker.

  • Choose drive encryption method and cipher strength

Choose drive encryption method and cipher strength

This policy setting is used to control encryption method and cipher strength.

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress.

If you enable this policy setting, you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

If you disable or do not configure this policy setting, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Conflicts

None

Drive recovery

The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

  • Choose how BitLocker-protected operating system drives can be recovered

  • Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

  • Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)

  • Choose default folder for recovery password

  • Choose how BitLocker-protected fixed drives can be recovered

  • Choose how BitLocker-protected removable drives can be recovered

Choose how BitLocker-protected operating system drives can be recovered

This policy setting is used to configure recovery methods for operating system drives.

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

The Allow certificate-based data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note

If the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Conflicts

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

This policy setting is used to configure recovery methods drives on computers running Windows Server 2008 or Windows Vista.

Drive type

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.

Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.

If you enable this policy setting, you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.

If you disable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to store recovery options.

Important

If TPM initialization is performed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker recovery information.
The 48-digit recovery password will not be available in FIPS-compliance mode.
This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

Conflicts

None

Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)

This policy setting is used to configure storage of BitLocker recovery information in AD DS.

Drive type

Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to manage the AD DS backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy is only applicable to computers running Windows Server 2008 or Windows Vista.

If you enable this policy setting, BitLocker recovery information will be automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.

BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.

If you select Require BitLocker backup to AD DS, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup.

If you disable or do not configure this policy setting, BitLocker recovery information will not be backed up to AD DS.

TPM initialization may be needed during BitLocker setup. Enable the Turn on TPM backup to Active Directory Domain Services policy setting in Computer Configuration\Administrative Templates\System\Trusted Platform Module Services to ensure that TPM information is also backed up.

If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. For more information, see Backing Up BitLocker and TPM Recovery Information to AD DS.

Conflicts

None

Choose default folder for recovery password

This policy setting is used to configure the default folder for recovery passwords.

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, you can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify either a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker setup wizard will display the computer's top-level folder view.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.

Note

This policy setting does not prevent the user from saving the recovery password in another folder.

Conflicts

None

Choose how BitLocker-protected fixed drives can be recovered

This policy setting is used to configure recovery methods for fixed data drives.

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Description

This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Doman Services, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted using the Repair-bde command-line tool. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note

If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Conflicts

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

Choose how BitLocker-protected removable drives can be recovered

This policy setting is used to configure recovery methods for removable data drives.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the GPMC or the Local Group Policy Editor.

In Configure user storage of BitLocker recovery information, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker; instead, BitLocker recovery options for the drive are determined by the policy setting.

In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select Backup recovery password and key package, both the BitLocker recovery password and key package are stored in AD DS. If you select Backup recovery password only, only the recovery password is stored in AD DS.

Select the Do not enable BitLocker until recovery information is stored in AD DS for removable data drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note

If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected removable data drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Conflicts

Use of recovery keys must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

Deployment options

The following policies are used to support customized deployment scenarios in your organization.

  • Provide the unique identifiers for your organization

  • Prevent memory overwrite on restart

  • Configure TPM platform validation profile

  • Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

  • Allow access to BitLocker-protected removable data drives from earlier versions of Windows

Provide the unique identifiers for your organization

This policy setting is used to establish an identifier that is applied to all drives encrypted in your organization.

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will manage and update data recovery agents only when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will update the BitLocker To Go Reader only when the identification field on the drive matches the value configured for the identification field.

The allowed identification field is used in combination with the Deny write access to removable drives not protected by BitLocker policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or other external organizations.

You can configure the identification fields on existing drives by using the Manage-bde command-line tool.

If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.

When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.

If you disable or do not configure this policy setting, the identification field is not required.

Note

Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will manage and update certificate-based data recovery agents only when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

Conflicts

Multiple values separated by commas can be entered in the identification and allowed identification fields.

Prevent memory overwrite on restart

The policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.

Drive type

All drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Description

This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled.

If you enable this policy setting, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase the risk of exposing BitLocker secrets.

If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.

Conflicts

None

Configure TPM platform validation profile

This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive.

Drive type

Operating system drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Description

This policy setting allows you to configure how the computer's TPM security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23, The default platform validation profile secures the encryption key against changes to the following:

  • Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)

  • Option ROM Code (PCR 2)

  • Master Boot Record (MBR) Code (PCR 4)

  • NTFS Boot Sector (PCR 8)

  • NTFS Boot Block (PCR 9)

  • Boot Manager (PCR 10)

  • BitLocker Access Control (PCR 11)

Note

The default TPM Validation Profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.

The following list identifies all of the PCRs available:

  • PCR[0]: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code

  • PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration

  • PCR 2: Option ROM code

  • PCR 3: Option ROM data and configuration

  • PCR 4: Master Boot Record (MBR) code or code from other boot devices

  • PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table

  • PCR 6: State transition and wake events

  • PCR 7: Computer manufacturer-specific

  • PCR 8: NTFS boot sector

  • PCR 9: NTFS boot block

  • PCR 10: Boot manager

  • PCR 11: BitLocker access control

  • PCR 12: Reserved for future use

  • PCR 13: Reserved for future use

  • PCR 22: Reserved for future use

  • PCR 23: Reserved for future use

Warning

Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

Conflicts

None

Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

This policy setting is used to control whether access to drives by using the BitLocker To Go Reader is allowed and if the application is installed to the drive.

Drive type

Fixed data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

Description

This policy setting configures whether fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.

If this policy setting is enabled or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted fixed drives check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the Provide unique identifiers for your organization policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader will be deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note

This policy setting does not apply to drives that are formatted with the NTFS file system.

Conflicts

None

Allow access to BitLocker-protected removable data drives from earlier versions of Windows

This policy setting is used to controls if you can access removable data drives by using the BitLocker To Go Reader and if the application is installed to the drive.

Drive type

Removable data drives

Policy path

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Description

This policy setting configures whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 operating systems.

If this policy setting is enabled or not configured, removable data drives formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the Do not install BitLocker To Go Reader on FAT formatted removable drives check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the Provide unique identifiers for your organization policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader will be deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note

This policy setting does not apply to drives that are formatted with the NTFS file system.

Conflicts

None