BitLocker Configuration
General Settings |
||
Require device encryption | Prompt users to enable device encryption.Depending on the Windows edition and system configuration, users may be asked: – To confirm that encryption from another provider isn’t enabled. – To turn off BitLocker Drive Encryption and then turn BitLocker back on. |
|
Encryption methods |
||
Encryption method for operating system drives | ||
Encryption method for fixed data-drives | ||
Encryption method for removable data drives | ||
Disable warning about third-party disk encryption | Disable the warning prompt about a third-party disk encryption service being used on the device. Starting in Windows 10, version 1803, this setting is only supported for Azure Active Directory joined devices. |
|
Allow running encryption while non-administrator user is logged in | Only supported for Azure Active Directory joined devices |
|
AppTec360 Extensions |
||
Silent encryption | If selected along with “Require device encryption”, the AppTec360 Management Service will run automatic silent encryption of the device drives. |
|
Automatically generate user credentials | The encrypted OS drive will be protected with automatically generated user credentials. Either a TPM PIN, when a TPM is available or a 6 digit textual password. The generated credentials are sent to the email address registered for given device. If this option is turned off, the only possible protection for silent encryption is using TPM. In that case, for devices without a TPM, silent encryption will fail. |
|
Encrypt fixed drives | Any available fixed data drives will be also encrypted and protected with “Automatic Unlock” using a key stored on the OS drive. |
|
OS Drive Settings |
Require additional authentication at startup | This setting allows you to configure whether BitLocker requires an authentication each time the computer starts. This setting is applied during the setup of BitLocker. If you enable this setting, users can configure advanced startup options in the BitLocker setup wizard. |
|
Block BitLocker without a compatible TPM |
||
TPM only |
||
TPM and PIN |
||
TPM and key |
||
TPM, key and PIN | If you want to require the use of a PIN and a USB flash drive (key), the user must setup BitLocker using the command-line tool “manage-bde” instead of the BitLocker Drive Encryption setup wizard. |
|
Require Minimum PIN length |
|
Minimum characters |
|
Configure pre-boot recovery message and URL | Configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use appear correctly on the pre-boot recovery screen. |
|
Pre-boot recovery message option |
||
Custom recovery message |
||
Custom recovery URL |
||
OS drive recovery options | This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required credentials. This setting is applied during the setup of BitLocker. By default a Certificate-based data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS. |
|
Block Certificate-based data recovery agent | Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. |
|
BitLocker recovery password settings |
||
BitLocker recovery key settings |
||
Save BitLocker recovery information to Active Directory Domain Services |
||
AD DS BitLocker recovery storage configuration | Storing the key package supports recovering data from a drive that has been physically corrupted. |
|
Require storage of recovery data to AD DS | Prevent users from enabling BitLocker unless the computer is connected to the domain and |
|
Fixed Drive Settings |
||
Fixed drives recovery options | This setting allows you to control how BitLocker-protected fixed drives are recovered in the absence of the required credentials. This setting is applied during the setup of BitLocker. By default a Certificate-based data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS. |
|
Block Certificate-based data recovery agent |
||
BitLocker recovery password settings |
||
BitLocker recovery key settings |
||
Save BitLocker recovery information to Active Directory Domain Services |
||
AD DS BitLocker recovery storage configuration | Storing the key package supports recovering data from a drive that has been physically corrupted. |
|
Require storage of recovery data to AD DS | Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: The recovery password is automatically generated. |
|
Deny write access to unprotected fixed drives |
||
Removable Drive Settings |
|
Deny write access to unprotected removable drives | Deny write access to removable data drives which are not protected by Bitlocker. Note: If “Removable Disks: Deny write access” is enabled in the group policy, this policy setting will be ignored. |
Deny write access to devices configured in another organisation | Only drives with identification fields matching the computer’s identification fields will be given write access. These fields are defined by the “Provide the unique identifiers for your organization” group policy setting. |