Use these settings to set the constraints for passwords to unlock BitLocker-protected OS drives. If you disable or don't configure this policy setting, BitLocker doesn't use enhanced PINs.įor more information on how to create this policy with Windows PowerShell, see New-CMEnhancedPIN. Require ASCII-only PINs: Help make enhanced PINs more compatible with computers that limit the type or number of characters that you can enter in the pre-boot environment. If you enable this setting, all new BitLocker startup PINs allow the user to create enhanced PINs. Before you enable its use, evaluate whether your devices are compatible with this feature. Not all computers can support enhanced PINs in the pre-boot environment. The user enters this PIN when the computer boots to unlock the drive. Select protector for operating system drive: Configure it to use a TPM and PIN, or just the TPM.Ĭonfigure minimum PIN length for startup: If you require a PIN, this value is the shortest length the user can specify. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN). On devices with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. If you allow this option, Windows prompts the user to specify a BitLocker password. This setting allows BitLocker to encrypt the OS drive, even if the device doesn't have a TPM. If you have devices without a Trusted Platform Module (TPM), use the option to Allow BitLocker without a compatible TPM (requires a password). If the drive is already encrypted, and you disable this setting, BitLocker decrypts the drive. If you don't configure this policy, BitLocker protection isn't required on the OS drive. If you disable it, the user can't protect the drive. If you enable this setting, the user has to protect the OS drive, and BitLocker encrypts the drive. Operating system drive encryption settings The settings on this page configure the encryption settings for the drive on which Windows is installed. Set this field on all targeted USB devices, and align it with this setting.įor more information on how to create this policy with Windows PowerShell, see New-CMUidPolicy. If your organization requires higher security measurements, configure the Identification field. When you don't configure this policy, BitLocker doesn't use the Identification field. Organization unique identifiersĬonfigure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader. When you don't configure this policy, BitLocker uses the default object identifier 1.3.6.1.4.1.311.67.1.1 to specify a certificate.įor more information on how to create this policy with Windows PowerShell, see New-CMScCompliancePolicy. Then specify the certificate Object identifier. Validate smart card certificate usage rule complianceĬonfigure this policy to use smartcard certificate-based BitLocker protection. When you don't configure this policy, BitLocker removes its secrets from memory when the computer restarts.įor more information on how to create this policy with Windows PowerShell, see New-CMNoOverwritePolicy. To work around this issue, enable this setting and set an explicit value for cipher strength.Ĭonfigure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart. If you use the default value, the BitLocker Computer Compliance report may display the cipher strength as unknown. If the drive is already encrypted or is in progress, any change to these policy settings doesn't change the drive encryption on the device. If you disable or don't configure these settings, BitLocker uses the default encryption method.Ĭonfiguration Manager applies these settings when you turn on BitLocker. General usage notes for drive encryption and cipher strength If you need to use a removable drive on devices that don't run Windows 10, use AES-CBC.įor more information on how to create this policy with Windows PowerShell, see New-CMBLEncryptionMethodWithXts. On Windows 10 or later devices, the AES encryption supports cipher block chaining (CBC) or ciphertext stealing (XTS). BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |