Windows 7 / Getting Started

How to Manage BitLocker with Group Policy

BitLocker has several Group Policy settings located in Computer Configuration\Policies \Administrative Templates\Windows Components\BitLocker Drive Encryption that you can use to manage the available features. Table below lists these policies, which are written to the registry on targeted computers under the following registry key:

HKLM\Software\Policies\Microsoft\FVE Group Policy Settings for BitLocker Drive Encryption
PolicyDescription
Store BitLocker Recovery Information In Active Directory Domain Services (Windows Server 2008 And Windows Vista)Enabling this policy silently backs up BitLocker recovery information to AD DS. For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives \Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker- Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies.
Choose Default Folder For Recovery PasswordEnabling this policy and configuring a default path for it sets the default folder to display when the user is saving recovery information for BitLocker. The user will have the ability to override the default.
Choose How Users Can Recover BitLocker-Protected Drives (Windows Server 2008 And Windows Vista)Enabling this policy allows you to control which recovery mechanisms the user can choose. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery password. Disabling the 256-bit recovery key will disable saving to a USB key. If you disable both options, you must enable AD DS backup or a policy error will occur. For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker- Protected Removable Drives Can Be Recovered policies.
Choose Drive Encryption Method And Cipher StrengthEnabling this policy allows configuration of the encryption method used by BitLocker Drive Encryption. The default if this key is not enabled is 128-bit AES with Diffuser. Other choices that can be configured are 256-bit AES with Diffuser, 128-bit AES, and 256-bit AES.
Prevent Memory Overwrite On RestartEnabling this policy prevents Windows from overwriting memory on restarts. This potentially exposes BitLocker secrets but can improve restart performance.
Provide The Unique Identifiers For Your OrganizationEnable this policy if you want to prevent users from mounting BitLocker-protected drives that might be from outside organizations.
Validate Smart Card Certificate Usage Rule ComplianceEnable this policy only if you want to restrict users to smart cards that have an object identifier (OID) that you specify.
Operating System Drives \Require Additional Authentication At Startup or Operating System Drives \Require Additional Authentication At Startup (Windows Server 2008 And Windows Vista)Enabling this policy allows configuring additional startup options and allows enabling of BitLocker on a non-TPMcompatible computer. On TPM-compatible computers, a secondary authentication can be required at startup-either a USB key or a startup PIN, but not both.
Allow Enhanced PINs For StartupEnhanced PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. By default, enhanced PINs are disabled.
Operating System Drives \Configure Minimum PIN Length For StartupEnables you to require a minimum PIN length.
Operating System Drives \Choose How BitLocker- Protected Operating System Drives Can Be RecoveredEnabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery password. Disabling the 256-bit recovery key will disable saving to a USB key.
Operating System Drives \Configure TPM Platform Validation ProfileEnabling this policy allows detailed configuration of the PCR indices. Each index aligns with Windows features that run during startup.
Fixed Data Drives\Configure Use Of Smart Cards On Fixed Data DrivesEnables or requires smart cards for BitLocker to protect non-operating system volumes.
Fixed Data Drives\Deny Writer Access To Fixed Drives Not Protected By BitLockerRequires drives to be BitLocker-protected before users can save files.
Fixed Data Drives\Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of WindowsAllows you to prevent the BitLocker To Go Reader from being copied to fixed data drives, preventing users of earlier versions of Windows (including Windows Server 2008, Windows Vista, and Windows XP SP2 or SP3) from entering a password to access the drive.
Fixed Data Drives\Configure Use Of Passwords For Fixed DrivesRequires passwords to access BitLocker-protected fixed drives and configures password complexity.
Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be RecoveredEnabling this policy allows you to control which recovery mechanisms the user can choose and whether recovery information is stored in the AD DS. Disabling the recovery password will disable saving to a folder or printing the key because these actions require the 48-digit recovery password. Disabling the 256-bit recovery key will disable saving to a USB key.

For information about BitLocker To Go policies (which are configured in the Removable Data Drives node), refer to the section titled "BitLocker To Go" earlier in this tutorial.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Disks and File Systems
  2. Overview of Partitioning Disks
  3. How to Choose Between MBR or GPT
  4. Converting from MBR to GPT Disks
  5. GPT Partitions
  6. Choosing Basic or Dynamic Disks
  7. Working with Volumes
  8. How to Create a Simple Volume
  9. How to Create a Spanned Volume
  10. How to Create a Striped Volume
  11. How to Resize a Volume
  12. How to Delete a Volume
  13. How to Create and Use a Virtual Hard Disk
  14. File System Fragmentation
  15. Backup And Restore
  16. How File Backups Work
  17. File and Folder Backup Structure
  18. How System Image Backups Work
  19. How to Start a System Image Backup from the Command Line
  20. How to Restore a System Image Backup
  21. System Image Backup Structure
  22. Best Practices for Computer Backups
  23. How to Manage Backup Using Group Policy Settings
  24. Previous Versions and Shadow Copies
  25. How to Manage Shadow Copies
  26. How to Restore a File with Previous Versions
  27. How to Configure Previous Versions with Group Policy Settings
  28. Windows ReadyBoost
  29. BitLocker Drive Encryption
  30. How BitLocker Encrypts Data
  31. How BitLocker Protects Data
  32. TPM with External Key (Require Startup USB Key At Every Startup)
  33. TPM with PIN (Require PIN At Every Startup)
  34. TPM with PIN and External Key
  35. BitLocker To Go
  36. BitLocker Phases
  37. Requirements for Protecting the System Volume with BitLocker
  38. How to Enable the Use of BitLocker on the System Volume on Computers Without TPM
  39. How to Enable BitLocker Encryption on System Volumes
  40. How to Enable BitLocker Encryption on Data Volumes
  41. How to Manage BitLocker Keys on a Local Computer
  42. How to Manage BitLocker from the Command Line
  43. How to Recover Data Protected by BitLocker
  44. How to Disable or Remove BitLocker Drive Encryption
  45. How to Decommission a BitLocker Drive Permanently
  46. How to Prepare AD DS for BitLocker
  47. How to Configure a Data Recovery Agent
  48. How to Manage BitLocker with Group Policy
  49. The Costs of BitLocker
  50. Windows 7 Encrypting File System
  51. How to Export Personal Certificates
  52. How to Import Personal Certificates
  53. How to Grant Users Access to an Encrypted File
  54. Symbolic Links
  55. How to Create Symbolic Links
  56. How to Create Relative or Absolute Symbolic Links
  57. How to Create Symbolic Links to Shared Folders
  58. How to Use Hard Links
  59. Disk Quotas
  60. How to Configure Disk Quotas on a Single Computer
  61. How to Configure Disk Quotas from a Command Prompt
  62. How to Configure Disk Quotas by Using Group Policy Settings
  63. Disk Tools
  64. EFSDump
  65. SDelete
  66. Streams
  67. Sync
  68. MoveFile and PendMoves