/build/static/layout/Breadcrumb_cap_w.png
09/24/2019 429 views

I have BitLocker setup and running in my environment.

I can pull a drive out, install it in another laptop, I get the BitLocker prompt requesting the password.

The issue is here: I pull a BitLockered drive out of a computer, install it in a USB dock or enclosure, plug it in, I get no BitLocker prompts, I can access all data.

This kind of makes BitLocker useless at this point.

For my GPO I have these options enabled:

"Choose default folder for recovery password" - Network path

"Store BitLocker recovery information in Active Directory Domain Services" - Required BitLocker backup to AD DS

"Enforce drive ecnruption type on operating system drives" - Used Space Only encryption.

Any suggestions?

0 Comments   [ + ] Show comments

Comments

  • This content is currently hidden from public view.
    Reason: Removed by member request For more information, visit our FAQ's.


Community Chosen Answer

2

"Enforce drive encryption type on operating system drives" is the problem, that is not the OS drive when slaved in the boot drive is the OS drive

Did you also configure the GPO for Fixed data drive and removable data drives?

2Q==

Answered 09/24/2019 by: SMal.tmcc
Red Belt

  • No, only OS drive. Fixed Data Drives I read were like your D: drive for example and Removeable Data Drives I believe are like USB drives? If I go back to my GPO do you suggest ALSO enabling Fixed Data Drive? What is your recommendation from here? I have a large number of users 300+, gpo is best option hopefully I do not need to re-bitlocker after making any additional setting changes. Thank you!
    • it is a usb drive when you plug it into a dock in windows mind
      • I did some testing on a new GPO with those extra fixed and removeable options enabled. Plugged in via usb, bitlocker prompt. awesome.. Heres the confusing part, I used my normal gpo and bitlockered my "control" pc to test, plugged in via usb, bitlocker prompt.. so strange.. only difference from what im used to is I grabbed spare PC's with normal SSD's with tpm 1.2 instead of the chip style drives with tpm 2.0
    • Once the drive is protected by bitlocker it doesn't matter how it's connected, the encryption is present. If you connect it to the same machine, the TPM might unlock it automatically. If you connect to a different machine, it'll look for the TPM (which won't be present) and then ask you for the recovery key in order to access the disk.

      I typically don't enforce bitlocker on USB drives. Secondary hard drives, yes.
      • From the user above if its encrypted by OS, BitLocker doesn't work when you plug the drive into another computer via usb dock or enclosure.

All Answers

0

Do you have TPM pin authentication setup on the drives, that may be why you can read it outside the system it was encrypted on

Here is a xml dump of our bitlocker GPO

 <Computer>
<VersionDirectory>40</VersionDirectory>
<VersionSysvol>40</VersionSysvol>
<Enabled>true</Enabled>
<ExtensionData>
<Extension xmlns:q1="http://www.microsoft.com/GroupPolicy/Settings/Registry" xsi:type="q1:RegistrySettings">
<q1:Policy>
<q1:Name>Ignore the default list of blocked TPM commands</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.

If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.

The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands.

If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. </q1:Explain>
<q1:Supported>At least Windows Vista</q1:Supported>
<q1:Category>System/Trusted Platform Module Services</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Ignore the local list of blocked TPM commands</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.

If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.

The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands.

If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands.</q1:Explain>
<q1:Supported>At least Windows Vista</q1:Supported>
<q1:Category>System/Trusted Platform Module Services</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Turn on TPM backup to Active Directory Domain Services</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information.

TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands.

If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password.

By enabling this policy setting, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds.

If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.

Note: You must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. Consult online documentation for more information about setting up Active Directory Domain Services for TPM.

Note: The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password, run "tpm.msc" and select the action to "Initialize TPM".

Note: If the TPM owner information is lost or is not available, limited TPM management is possible by running "tpm.msc" on the local computer.</q1:Explain>
<q1:Supported>At least Windows Vista</q1:Supported>
<q1:Category>System/Trusted Platform Module Services</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7.

If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

If you disable or do not configure this policy setting, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

</q1:Explain>
<q1:Supported>Windows Server 2008, Windows 7, and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption</q1:Category>
<q1:DropDownList>
<q1:Name>Select the encryption method:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>AES 256-bit with Diffuser</q1:Name>
</q1:Value>
</q1:DropDownList>
</q1:Policy>
<q1:Policy>
<q1:Name>Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.

Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.

If you enable this policy setting, you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.

If you disable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to store recovery options.

Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker recovery information.

Note: The 48-digit recovery password will not be available in FIPS-compliance mode.

Important: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)" policy setting to prevent a policy error.

</q1:Explain>
<q1:Supported>Windows Server 2008 and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption</q1:Category>
<q1:Text>
<q1:Name>Important: To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options below, you must enable backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name>Configure 48-digit recovery password:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Require recovery password (default)</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name>Configure 256-bit recovery key:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Require recovery key (default)</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:Text>
<q1:Name>Note: If you do not allow the recovery password and require the recovery key, users cannot turn on BitLocker without saving to USB.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name />
</q1:Text>
</q1:Policy>
<q1:Policy>
<q1:Name>Prevent memory overwrite on restart</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled.

If you enable this policy setting, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase the risk of exposing BitLocker secrets.

If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.

</q1:Explain>
<q1:Supported>Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008, Windows 7, and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Provide the unique identifiers for your organization</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.

The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.

You can configure the identification fields on existing drives by using manage-bde.exe.

If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.

When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.

If you disable or do not configure this policy setting, the identification field is not required.

Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption</q1:Category>
<q1:EditText>
<q1:Name>BitLocker identification field:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>TMCCADMNBitLocker</q1:Value>
</q1:EditText>
<q1:EditText>
<q1:Name>Allowed BitLocker identification field:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>TMCCADMNBitLocker</q1:Value>
</q1:EditText>
</q1:Policy>
<q1:Policy>
<q1:Name>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista.

If you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.

Note: You might need to set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS backup for BitLocker is available on Microsoft TechNet.

BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.

If you select the option to "Require BitLocker backup to AD DS" BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup.

If you disable or do not configure this policy setting, BitLocker recovery information is not backed up to AD DS.

Note: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the "Turn on TPM backup to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information is also backed up.
</q1:Explain>
<q1:Supported>Windows Server 2008 and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption</q1:Category>
<q1:CheckBox>
<q1:Name>Require BitLocker backup to AD DS</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>If selected, cannot turn on BitLocker if backup fails (recommended default). </q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name>Select BitLocker recovery information to store:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Recovery passwords and key packages</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:Text>
<q1:Name />
</q1:Text>
<q1:Text>
<q1:Name>A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Key packages may help perform specialized recovery when the disk is damaged or corrupted. </q1:Name>
</q1:Text>
</q1:Policy>
<q1:Policy>
<q1:Name>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.

If this policy setting is enabled or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the "Do not install BitLocker To Go Reader on FAT formatted fixed drives" check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note: This policy setting does not apply to drives that are formatted with the NTFS file system.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Do not install BitLocker To Go Reader on FAT formatted fixed drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Choose how BitLocker-protected fixed drives can be recovered</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow data recovery agent</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>Configure user storage of BitLocker recovery information:</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 48-digit recovery password</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 256-bit recovery key</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Omit recovery options from the BitLocker setup wizard</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>Save BitLocker recovery information to AD DS for fixed data drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:DropDownList>
<q1:Name>Configure storage of BitLocker recovery information to AD DS:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Backup recovery passwords and key packages</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Configure use of smart cards on fixed data drives</q1:Name>
<q1:State>Disabled</q1:State>
<q1:Explain>This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on fixed data drives" check box.

Note: These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives.

If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Deny write access to fixed drives not protected by BitLocker</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Allow enhanced PINs for startup</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.

Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.

Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.

If you disable or do not configure this policy setting, enhanced PINs will not be used.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
</q1:Policy>
<q1:Policy>
<q1:Name>Choose how BitLocker-protected operating system drives can be recovered</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow data recovery agent</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>Configure user storage of BitLocker recovery information:</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 48-digit recovery password</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 256-bit recovery key</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Omit recovery options from the BitLocker setup wizard</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>Save BitLocker recovery information to AD DS for operating system drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:DropDownList>
<q1:Name>Configure storage of BitLocker recovery information to AD DS:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Store recovery passwords and key packages</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Do not enable BitLocker until recovery information is stored to AD DS for operating system drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Configure minimum PIN length for startup</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:Numeric>
<q1:Name>Minimum characters:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>4</q1:Value>
</q1:Numeric>
</q1:Policy>
<q1:Policy>
<q1:Name>Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23, The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS.

Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
</q1:Explain>
<q1:Supported>Windows Server 2008, Windows 7, and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:Text>
<q1:Name>A platform validation profile consists of a set of Platform Configuration Register (PCR) indices. Each PCR index is associated with components that run when Windows starts.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Use the check boxes below to choose the PCR indices to include in the profile.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Exercise caution when changing this setting.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>We recommend the default of PCRs 0, 2, 4, 8, 9, 10, and 11.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>For BitLocker protection to take effect, you must include PCR 11.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Consult online documentation for more information about the benefits and risks of changing the default TPM platform validation profile.</q1:Name>
</q1:Text>
<q1:CheckBox>
<q1:Name>PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 1: Platform and Motherboard Configuration and Data</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 2: Option ROM Code</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 3: Option ROM Configuration and Data</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 4: Master Boot Record (MBR) Code</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 5: Master Boot Record (MBR) Partition Table</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 6: State Transition and Wake Events</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 7: Computer Manufacturer-Specific</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 8: NTFS Boot Sector</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 9: NTFS Boot Block</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 10: Boot Manager</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 11: BitLocker Access Control</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 12: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 13: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 14: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 15: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 16: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 17: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 18: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 19: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 20: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 21: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 22: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 23: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Configure TPM platform validation profile for BIOS-based firmware configurations</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firmware.

If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11).

Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
</q1:Explain>
<q1:Supported>At least Windows Server 2012 or Windows 8</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:Text>
<q1:Name>A platform validation profile consists of a set of Platform Configuration Register (PCR) indices. Each PCR index is associated with components that run when Windows starts.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Use the check boxes below to choose the PCR indices to include in the profile.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Exercise caution when changing this setting.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>We recommend the default of PCRs 0, 2, 4, 8, 9, 10, and 11.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>For BitLocker protection to take effect, you must include PCR 11.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Consult online documentation for more information about the benefits and risks of changing the default TPM platform validation profile.</q1:Name>
</q1:Text>
<q1:CheckBox>
<q1:Name>PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 1: Platform and Motherboard Configuration and Data</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 2: Option ROM Code</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 3: Option ROM Configuration and Data</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 4: Master Boot Record (MBR) Code</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 5: Master Boot Record (MBR) Partition Table</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 6: State Transition and Wake Events</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 7: Computer Manufacturer-Specific</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 8: NTFS Boot Sector</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 9: NTFS Boot Block</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 10: Boot Manager</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 11: BitLocker Access Control</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 12: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 13: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 14: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 15: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 16: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 17: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 18: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 19: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 20: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 21: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 22: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>PCR 23: Reserved for Future Use</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Require additional authentication at startup</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>Settings for computers with a TPM:</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name>Configure TPM startup:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name>Configure TPM startup PIN:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Require startup PIN with TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name>Configure TPM startup key:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow startup key with TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name>Configure TPM startup key and PIN:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow startup key and PIN with TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:Text>
<q1:Name />
</q1:Text>
</q1:Policy>
<q1:Policy>
<q1:Name>Require additional authentication at startup (Windows Server 2008 and Windows Vista)</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.

Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista.

On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN).

A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.

If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.
</q1:Explain>
<q1:Supported>Windows Server 2008 and Windows Vista</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Operating System Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>Settings for computers with a TPM:</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name>Configure TPM startup key:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow startup key with TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name>Configure TPM startup PIN:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Require startup PIN with TPM</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:Text>
<q1:Name>Important: If you require the startup key, you must not allow the startup PIN. </q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.</q1:Name>
</q1:Text>
<q1:Text>
<q1:Name>Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.</q1:Name>
</q1:Text>
</q1:Policy>
<q1:Policy>
<q1:Name>Allow access to BitLocker-protected removable data drives from earlier versions of Windows</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.

If this policy setting is enabled or not configured, removable data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the "Do not install BitLocker To Go Reader on FAT formatted removable drives" check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.

If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note: This policy setting does not apply to drives that are formatted with the NTFS file system.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Removable Data Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Do not install BitLocker To Go Reader on FAT formatted removable drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Choose how BitLocker-protected removable drives can be recovered</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for removable data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. If you select "Backup recovery password only" only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected removable data drives.

If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS
</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Removable Data Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow data recovery agent</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:Text>
<q1:Name>Configure user storage of BitLocker recovery information:</q1:Name>
</q1:Text>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 48-digit recovery password</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:DropDownList>
<q1:Name />
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Allow 256-bit recovery key</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Omit recovery options from the BitLocker setup wizard</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>Save BitLocker recovery information to AD DS for removable data drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
<q1:DropDownList>
<q1:Name>Configure storage of BitLocker recovery information to AD DS:</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Value>
<q1:Name>Backup recovery passwords and key packages</q1:Name>
</q1:Value>
</q1:DropDownList>
<q1:CheckBox>
<q1:Name>Do not enable BitLocker until recovery information is stored to AD DS for removable data drives</q1:Name>
<q1:State>Enabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:Policy>
<q1:Name>Control use of BitLocker on removable drives</q1:Name>
<q1:State>Enabled</q1:State>
<q1:Explain>This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.

When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information on suspending BitLocker protection.

If you do not configure this policy setting, users can use BitLocker on removable disk drives.

If you disable this policy setting, users cannot use BitLocker on removable disk drives.

</q1:Explain>
<q1:Supported>At least Windows Server 2008 R2 or Windows 7</q1:Supported>
<q1:Category>Windows Components/BitLocker Drive Encryption/Removable Data Drives</q1:Category>
<q1:CheckBox>
<q1:Name>Allow users to apply BitLocker protection on removable data drives</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
<q1:CheckBox>
<q1:Name>Allow users to suspend and decrypt BitLocker protection on removable data drives</q1:Name>
<q1:State>Disabled</q1:State>
</q1:CheckBox>
</q1:Policy>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>UseMBAMServices</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>UseKeyRecoveryService</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>KeyRecoveryServiceEndPoint</q1:Name>
<q1:ExpString>http://dr-vmbam.tmccadmn.tmcc.edu/MBAMRecoveryAndHardwareService/CoreService.svc</q1:ExpString>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>KeyRecoveryOptions</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>ClientWakeupFrequency</q1:Name>
<q1:Number>90</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>UseStatusReportingService</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>StatusReportingServiceEndpoint</q1:Name>
<q1:ExpString>http://dr-vmbam.tmccadmn.tmcc.edu/MBAMComplianceStatusService/StatusReportingService.svc</q1:ExpString>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>StatusReportingFrequency</q1:Name>
<q1:Number>600</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>ShouldEncryptFixedDataDrive</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>AutoUnlockFixedDataDrive</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>ShouldEncryptOSDrive</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>OSDriveProtector</q1:Name>
<q1:Number>1</q1:Number>
</q1:Value>
</q1:RegistrySetting>
<q1:RegistrySetting>
<q1:KeyPath>SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement\Configuration</q1:KeyPath>
<q1:AdmSetting>false</q1:AdmSetting>
<q1:Value>
<q1:Name>CustomerExperienceImprovementProgram</q1:Name>
<q1:Number>0</q1:Number>
</q1:Value>
</q1:RegistrySetting>
</Extension>
<Name>Registry</Name>
</ExtensionData>
</Computer>

Answered 09/24/2019 by: SMal.tmcc
Red Belt

  • No I don't want to have users remember another password on boot up every time they start their computers. I made a comment above that is it working now all of a sudden with a test computer. Only difference is between normal style SSD using TPM 1.2 and chip style SSD using TPM 2.0
    • Yea I saw that reply.
      I think you are correct on the versions, just googled the differences between and hierarchy is very different between. If you have older DC's in your domain that will effect how bitlocker works also. We went to using pins for each department. so every bitlockered machine in a certain department all use the same pin. Only staff can get into any of these so security is still within the organization but if someone steals one they cannot get in.
      • Oh you know what.. we did just swap out our DC from Server 2012 to Server 2016 just last weekend. Could that be related?
      • Yes we ran into a problem with bitlocker and kms that required us to go from 12r2 to 16. We just went to 19 because of KMS for windows ltsc and office 19

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share