What Group Policy settings are used with BitLocker?

BitLocker Drive Encryption Group Policy settings can be set for specific BitLocker-protected drives in your organization (or on your local computer if your computer is not part of a domain). This gives system administrators the ability to define policies based on how the drives are used. These policy settings can be applied to:

  • All drives

    These policy settings apply to all BitLocker-protected drives.

  • Operating system drives

    This is the drive on the local computer on which the operating system is installed.

  • Fixed data drives

    These are drives that are permanently installed on the local computer and cannot be removed while the computer is running.

  • Removable data drives

    These are drives that are designed to be removed from one computer and used on another computer while the computer is in use.

BitLocker Group Policy settings

BitLocker Group Policy settings are located in the Local Group Policy Editor or the Group Policy Management Console in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. The following table lists the Group Policy settings that can be used to control BitLocker usage.

Applicable drive
Setting name

All drives

Choose default folder for recovery password

Choose drive encryption method and cipher strength

Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

Prevent memory overwrite on restart

Provide the unique identifiers for your organization

Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)

Validate smart card certificate usage rule compliance

Operating system drives

Allow enhanced PINs for startup

Choose how BitLocker-protected operating system drives can be recovered

Configure minimum PIN length for startup

Configure TPM platform validation profile

Require additional authentication at startup

Require additional authentication at startup (Windows Server 2008 and Windows Vista)

Fixed data drives

Allow access to BitLocker-protected fixed data drives on earlier versions of Windows

Choose how BitLocker-protected fixed drives can be recovered

Configure use of passwords for fixed data drives

Configure use of smart cards on fixed data drives

Deny write access to fixed data drives not protected by BitLocker

Removable data drives

Allow access to BitLocker-protected removable data drives on earlier versions of Windows

Choose how BitLocker-protected removable drives can be recovered

Configure use of passwords for removable data drives

Configure use of smart cards on removable data drives

Control use of BitLocker on removable drives

Deny write access to removable data drives not protected by BitLocker

Group Policy usage scenarios

The following table describes some common scenarios in which Group Policy settings might be used.

Scenario
Setting name
Description

Require BitLocker on all removable drives.

Deny write access to removable data drives not protected by BitLocker

This policy setting allows you to specify whether BitLocker protection is required for removable data drives to be writable on a computer. If you enable this policy setting, removable data drives protected by BitLocker will be mounted with read and write access while those that are not BitLocker-protected will be mounted as read-only. If this policy is disabled or not configured, all removable data drives on the computer will be mounted with read and write access. If the Removable Disks: Deny write access policy setting located in User Configuration\Administrative Templates\System\Removable Storage Access is also enabled, the operating system will use that setting instead of this BitLocker Group Policy setting.

Require recovery passwords to be stored in Active Directory Domain Services (AD DS).

Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

Choose how BitLocker-protected operating system drives can be recovered

Choose how BitLocker-protected fixed drives can be recovered

Choose how BitLocker-protected removable drives can be recovered

These policy settings allow you to configure recovery options on BitLocker-protected drives. Recovery options are methods by which you can decrypt a BitLocker-protected drive if the user's decryption key is not available. Recovery options include certificate-based data recovery agents, a 48-digit recovery password, a 256-bit recovery key, and storing the recovery information in AD DS where it can be retrieved by an administrator. A separate policy can be created for operating system drives, fixed drives, and removable drives. If you decide to use this policy with a data recovery agent, you must also configure the Configure BitLocker identification field policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value configured on the computer.

Require the use of a complex password with a minimum length.

Configure use of passwords for fixed data drives

Configure use of passwords for removable data drives

These policy settings allow you to specify whether a password can be used to access BitLocker-protected data drives. Passwords can include letters, numbers, and symbols and must be eight characters or greater in length. If you choose to enable the use of passwords, you can also require that a password be used, enforce complexity requirements on the password, and configure a greater minimum length for the password. This policy can be configured for fixed and removable data drives only.

Require the use of smart cards for BitLocker on data drives.

Configure use of smart cards on removable data drives

Configure use of smart cards on fixed data drives

These policy settings allow you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected data drives on a computer. If you enable these policy settings, smart cards can be used to authenticate user access to the data drives. Both policy settings have the option to require smart card authentication before enabling BitLocker on the drive. These settings are enforced when turning on BitLocker but are not enforced when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

Enable the use of more complex personal identification numbers (PINs) that include uppercase and lowercase letters, symbols, numbers, and spaces at startup.

Allow enhanced PINs for startup

This policy setting allows you to specify whether enhanced startup PINs can be used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. Some computers might not support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. This policy is configurable only for operating system drives. To learn more, look under "Key management" in BitLocker Drive Encryption in Windows 7: Frequently Asked Questions.

For more information about using Group Policy settings with BitLocker, see the BitLocker Drive Encryption Deployment Guide.