Windows 10 enterprise bitlocker configuration free
For more information about the BitLocker repair tool, see Repair-bde. With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery. To require the use of a password, select Require password for fixed data drive. In addition, similar to the feature of the operating system drive, you will get the same additional options and a few more, including:. Passwords can’t be used if FIPS compliance is enabled. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. It works with BitLocker to help protect user data and to ensure that a computer hasn’t been tampered with while the system was offline. If BdeHdCfg.❿
❿
With this policy setting, it can be set whether BitLocker protection is required for fixed data drives to be writable on a computer. BitLocker recovery information includes the recovery password and unique identifier data. Important Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July , or they could receive extended support until April Mauro Huculak. Additional resources In this article. Submit and view feedback for This product This page. For more information about the BitLocker repair tool, see Repair-bde. The BitLocker Setup Wizard presents users with ways to store recovery options.❿
In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it’s written to the disk. SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features.
Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware.
If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. For more information about encrypted hard drives, see Encrypted hard drive. An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience.
In fact, the more transparent a security solution becomes, the more likely users are to conform to it. It’s crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users.
This protection shouldn’t be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place.
The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren’t as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection.
For more information, see BitLocker Countermeasures. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor.
However, this configuration comes with some costs. You must be an administrator to perform these procedures. For more information about setting this policy, see System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. When a computer transitions to Sleep, open programs and documents are persisted in memory. This might lead to conditions where data security is compromised. However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker.
Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn’t have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. The scope of the values can be specific to the version of the operating system.
PCR 7 measures the state of Secure Boot. Secure Boot ensures that the computer’s preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform.
This reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Note For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can’t connect to the domain controller at startup.
Important Not all computers support enhanced PIN characters in the preboot environment. Note These settings are enforced when turning on BitLocker, not when unlocking a volume. Note These settings are enforced when turning on BitLocker, not when unlocking a drive. Note BitLocker doesn’t require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. Warning This policy doesn’t apply to encrypted drives.
Note The Choose drive encryption method and cipher strength policy setting doesn’t apply to hardware-based encryption. Note This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
Note This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. Note If the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box is selected, a recovery password is automatically generated. Important To prevent data loss, you must have a way to recover BitLocker encryption keys.
Note This policy setting doesn’t prevent the user from saving the recovery password in another folder. Note If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated. Important Not all characters and languages are supported in the pre-boot environment. Important Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can’t return the policy setting to the default setting by selecting the Not Configured option after you have configured this policy setting.
Warning Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. Note Changing from the default platform validation profile affects the security and manageability of your computer.
Warning Changing from the default platform validation profile affects the security and manageability of your computer. Important This group policy setting only applies to computers with a native UEFI firmware configuration. Note The setting that controls boot debugging 0x is always validated, and it has no effect if it’s included in the inclusion or the exclusion list. Submit and view feedback for This product This page.
View all page feedback. In this article. The options of the Require additional authentication at startup policy apply. With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module TPM. If one authentication method is required, the other methods can’t be allowed. Users can configure advanced startup options in the BitLocker Setup Wizard.
Users can configure only basic options on computers with a TPM. Existing drives that were protected by using standard startup PINs aren’t affected. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.
Users can configure a startup PIN of any length between 6 and 20 digits. DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.
With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. Passwords can’t be used if FIPS-compliance is enabled. Users can configure a password that meets the requirements you define.
The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur. With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server can set up an additional authentication method that is required each time the computer starts.
If you choose to require an additional authentication method, other authentication methods can’t be allowed. The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.
In this basic wizard, no additional startup key or startup PIN can be configured. With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. Users can’t use smart cards to authenticate their access to BitLocker-protected fixed data drives.
Smart cards can be used to authenticate user access to a BitLocker-protected drive. With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. Passwords are supported with the default settings, which don’t include password complexity requirements and require only eight characters.
With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. Users aren’t allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.
Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.
To require the use of a password, select Require password for removable data drive. With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.
The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field’s value on the drive matches the value that is configured for the identification field.
The allowed identification field is used in combination with the Deny write access to removable drives not protected by BitLocker policy setting to help control the use of removable drives in an organization. It’s a comma-separated list of identification fields from an internal organization or external organizations. The identification fields on existing drives can be configured by using the Manage-bde command-line tool. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization.
Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto characters. This policy setting is used to control whether the computer’s memory will be overwritten the next time the computer is restarted.
BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. A platform validation profile consists of a set of PCR indices that range from 0 to The default platform validation profile secures the encryption key against changes to the following PCRs:.
Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker’s sensitivity to platform modifications malicious or authorized is increased or decreased depending on inclusion or exclusion respectively of the PCRs. This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server , or Windows 7.
This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. This group policy setting only applies to computers with a native UEFI firmware configuration.
A platform validation profile consists of a set of PCR indices ranging from 0 to This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery.
A platform validation data profile consists of the values in a set of Platform Configuration Register PCR indices that range from 0 to For more information about the recovery process, see the BitLocker recovery guide.
A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register PCR indices that range from 0 to The setting that controls boot debugging 0x is always validated, and it has no effect if it’s included in the inclusion or the exclusion list.
The use of a recovery key is permitted. This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. The optional recovery key can be saved to a USB drive.
Only administrators can perform these procedures. For more information about setting this policy, see System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life.
When a computer transitions to Sleep, open programs and documents are persisted in memory. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised. However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker.
Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn’t have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
The scope of the values can be specific to the version of the operating system. PCR 7 measures the state of Secure Boot. Secure Boot ensures that the computer’s preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration.
Skip to main content. This browser is no longer supported. Table of contents Exit focus mode. Table of contents. Note For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can’t connect to the domain controller at startup.
Important Not all computers support enhanced PIN characters in the preboot environment. Note These settings are enforced when turning on BitLocker, not when unlocking a volume. Note These settings are enforced when turning on BitLocker, not when unlocking a drive.
Note BitLocker doesn’t require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. Warning This policy doesn’t apply to encrypted drives. Note The Choose drive encryption method and cipher strength policy setting doesn’t apply to hardware-based encryption.
Note This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. Note This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. Note If the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box is selected, a recovery password is automatically generated.
Important To prevent data loss, there must be a way to recover BitLocker encryption keys. Note This policy setting doesn’t prevent the user from saving the recovery password in another folder. Note If the Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives check box is selected, a recovery password is automatically generated. Important Not all characters and languages are supported in the pre-boot environment.
Important Because BCDEdit commands can be altered manually before Group Policy settings have been set, the policy setting can’t be returned to the default setting by selecting the Not Configured option after this policy setting has been configured. Warning Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. Note Changing from the default platform validation profile affects the security and manageability of a computer. Warning Changing from the default platform validation profile affects the security and manageability of a computer.
Important This group policy setting only applies to computers with a native UEFI firmware configuration. Note The setting that controls boot debugging 0x is always validated, and it has no effect if it’s included in the inclusion or the exclusion list. Submit and view feedback for This product This page. View all page feedback.
Additional resources In this article. The options of the Require additional authentication at startup policy apply. With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module TPM. If one authentication method is required, the other methods can’t be allowed.
Users can configure advanced startup options in the BitLocker Setup Wizard. Users can configure only basic options on computers with a TPM. Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker. Existing drives that were protected by using standard startup PINs aren’t affected.
The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. The required minimum length of startup PINs set by users can be set between 4 and 20 digits.
If you have only one C: drive and want to protect your personal files, read our article: How to protect your personal files on C: drive? It’s similar to BitLocker in as much as it lets you protect your data from access by unauthorized individuals but there are some differences between the two features.
BitLocker provides you with more tools for managing your encrypted drives than device encryption does. Step 3: Click on the Device encryption item. Step 4: In the “Devices encryption” section of Settings, click the button labeled “Turn on” to activate it. M3 BitLocker Loader for Windows also provides this feature if you’re using it. You can also do the same thing in the Disk Management app. If you’ve forgotten or don’t have the password but have the recovery key that you saved during the encryption process, click on “More options” then “Enter recovery key”.
Enter the digit BitLocker recovery key to unlock the BitLocker encrypted drive. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. Yes, BitLocker supports multifactor authentication for operating system drives.
For requirements, see System requirements. Dynamic disks are not supported by BitLocker.
❿