Control use of BitLocker on removable drives.Deny write access to removable drives not protected by BitLocker.Deny write access to fixed drives not protected by BitLocker.The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. Enable use of BitLocker authentication requiring preboot keyboard input on slates.Validate smart card certificate usage rule compliance.Configure use of passwords on removable data drives.Configure use of smart cards on removable data drives.Configure use of passwords on fixed data drives.Configure use of smart cards on fixed data drives.Require additional authentication at startup (Windows Server 2008 and Windows Vista).Configure use of passwords for operating system drives.
Disallow standard users from changing the PIN or password.Disable new DMA devices when this computer is locked.Configure minimum PIN length for startup.Require additional authentication at startup.Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN.The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.įor more details about Active Directory configuration related to BitLocker enablement, please see Set up MDT for BitLocker. In this situation, you need to suspend BitLocker protection by using the Manage-bde command-line tool, delete the password unlock method, and add the smart card method. Policy settings are changed to disallow passwords and require smart cards. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. For details about those settings, see Trusted Platform Module Group Policy settings.īitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM).