I’d like to know if the BitLocker Group Policy offers more configuration options than the BitLocker Drive Encryption panel? Which BitLocker Group Policies can be configured in Windows 10/11? Looking forward to your answer.
Yes, through the Group Policy Editor, you can access more detailed and flexible BitLocker settings. In the process of storing BitLocker keys in Active Directory, it also needs BitLocker Group Policy Settings. Here’s how to configure BitLocker with Group Policy:
Firstly, press <Win + R>, typing "gpedit.msc", press enter to access to Local Group Policy Editor. Then navigate to:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Some key BitLocker settings and options typically available in Group Policy, including:
In the Group Policy Editor, BitLocker policies are divided into three sections: Fixed Data Drives, Operating System Drives, and Removable Data Drives. Within each section, you can select the drive encryption type that can be used when enabling BitLocker encryption. For instance, taking Fixed Data Drives as an example:
Step 1 Enter into Fixed Data Drives folder, click on "Enforce drive encryption type on fixed data drives".
Step 2 Enable it, and choose "Used Space Only encryption" (according to your own need) as follows:
Step 3 After configuration, when you enable BitLocker for Fixed Data Drives, the system will skip this step which prompt you to select the encryption type.
Usually, the Desktop is the default location to store BitLocker Recovery Key, which is very insecure. So, change the default location for saving BitLocker Recovery Key as follows:
Step 1 Double click on "Choose default folder for recovery password".
Step 2 Enable it. Then paste the target location (for example: %USERPROFILE%\Documents) in the text box, click "Apply" to save the settings.
The default BitLocker password length is 8, and we can set it longer or require passwords to meet certain complexity requirements: uppercase/lowercase characters, digits, non-alphabetic characters, requiring at least three types.
Step 1 Firstly, set a custom password complexity requirement. Navigate to
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Step 2 Double click on "Password must meet complexity requirements", and enable it.
Step 3 Return to the BitLocker Drive Encryption settings in Group Policy. Enter into Fixed Data Drive, click on "Configure use of passwords for fixed data drives".
Step 4 Enable it, tick "Require password for fixed data drive", choose "Allow password complexity", then adjust the "Minimum password length for fixed data drive" to 10, click on "Apply".
We can see that, when enabling BitLocker for a fixed drive, the option "Use a password to unlock the drive" is selected by default. Additionally, if the password length is insufficient, an error prompt will appear.
If the password length is sufficient but the complexity is not met, an error prompt will also appear. You can apply similar settings to the other two types of drives as well.
The minimum length of a BitLocker startup PIN must be 4 digits, with a maximum length of 20 digits. Enhanced PINs can include characters, symbols, digits, and spaces.
Step 1 Enter into Operating System Drive, double-click on "Configure minimum PIN length for startup".
Step 2 Set it to "Enabled", then set the minimum PIN length, click on "Apply".
Step 3 Double click on "Allow enhanced PINS for startup", enable it.
Step 4 After completing the settings, when enabling BitLocker encryption for the System Drive and setting a password, you may receive the following prompt:
The encryption method used by BitLocker is configurable. Choose which encryption mode to use (such as AES-CBC or XTS-AES), and specify the encryption key length.
Step 1 Select the appropriate "Choose drive encryption method and cipher strength" option based on your computer version.
Step 2 Enable it. Apply the required encryption methods for different drives. Apply the changes.
Define how to use the Trusted Platform Module (TPM) to protect keys and encryption operations. Manage whether to require user input of a PIN or use a USB startup key to unlock BitLocker-encrypted drives. Or set a combination of TPM, startup PIN and USB Startup Key.
Step 1 Enter into Operating System Drives folder, double click on "Require additional authentication at startup".
Step 2 Enable it. Set "Configure TPM startup PIN" to "Required". Apply it.
Note: You can configure this policy to enable BitLocker without TPM.
Right here to answer it for you. The BitLocker USB key, known as the USB startup key, is typically used for storing BitLocker key on a USB flash drive in the form of a file.
Lydia
Microsoft BitLocker does offer a variety of authentication mechanisms for us, and the mode you select indeed provides the highest level of security.
Lydia
Sure, Windows allows us to encrypt the operating system drive on devices without TPM supported. To configure this, we need to edit the related group policy.
Benjamin
Rest assured; this error can be easy solved by simply modifying the Group Policy Editor or Registry Editor. Go ahead reading, you'll understand why this happen and work it out.
Lydia
