programming4us
programming4us
SECURITY

Windows 8 : Managing BitLocker and other policy-based mobility tools (part 1) - Configuring BitLocker policies

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
6/21/2014 9:33:34 PM

Configuring BitLocker policies

BitLocker is an encryption technology used to ensure that an entire volume is encrypted. Encrypting File System (EFS) enables encryption on specified files and folders, which allows granular control of the technology but makes management more difficult because the encrypted files or folders can be anywhere on the disk. With BitLocker, the entire volume is encrypted and requires a Trusted Platform Module (TPM) chip in the computer or an alternate method of authentication, such as an encryption key on a USB flash disk, to operate.

Using policies to configure BitLocker allows the settings to be centrally managed if the computer or device is managed by Active Directory. If the computer or device is not managed by Active Directory, the same policy settings can be applied by using the Local Group Policy Editor. Configuring the settings for a local policy uses the same concepts as configuring Group Policy in Active Directory; the difference is that the settings apply only to the local computer or to user accounts on the local computer.

If the computer joins an Active Directory domain and a conflicting setting exists within the domain, the local computer’s setting will be overwritten by the settings from Active Directory.

Policy settings for BitLocker include the following:

  • Fixed Data Drives

    • Configure Use Of Smart Cards On Fixed Data Drives

    • Deny Write Access To Fixed Drives Not Protected By BitLocker

    • Configure Use Of Hardware-Based Encryption For Fixed Data Drives

    • Enforce Drive Encryption Type On Fixed Data Drives

    • Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows

    • Configure Use Of Passwords For Fixed Data Drives

    • Choose How BitLocker-Protected Fixed Drives Can Be Recovered

  • Operating System Drives

    • Allow Network Unlock At Startup

    • Allow Secure Boot For Integrity Validation

    • Require Additional Authentication At Startup

    • Require Additional Authentication At Startup (Windows Server 2008 And Windows Vista)

    • Disallow Standard Users From Changing The PIN Or Password

    • Enable Use Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates

    • Allow Enhanced PINs For Startup

    • Configure Minimum PIN Length For Startup

    • Configure Use Of Hardware-Based Encryption For Operating System Drives

    • Enforce Drive Encryption Type On Operating System Drives

    • Configure Use Of Passwords For Operating System Drives

    • Choose How BitLocker-Protected Operating System Drives Can Be Recovered

    • Configure TPM Platform Validation Profile For BIOS-Based Firmware Configuration

    • Configure TPM Platform Validation Profile (Windows Vista, Windows Server 2008, Windows 7, And Windows Server 2008 R2)

    • Configure TPM Platform Validation Profile For Native Unified Extensible Firmware Interface (UEFI) Firmware Configurations

    • Reset Platform Validation Data After BitLocker Recovery

    • Use Enhanced Boot Configuration Data Validation Profile

    • Store BitLocker Recovery Information In Active Directory Domain Services (AD DS) (Windows Server 2008 And Windows Vista)

    • Choose Default Folder For Recovery Password

    • Choose How Often Users Can Recover BitLocker-Protected Drives (Windows Server 2008 And Windows Vista)

    • Choose Drive Encryption Method And Cipher Strength

    • Choose Drive Encryption Method And Cipher Strength (Windows Vista, Windows Server 2008, Windows Server 2008 R2, And Windows 7)

    • Provide The Unique Identifiers For Your Organization

    • Prevent Memory Overwrite On Restart

    • Validate Smart Card Certificate Usage Rule Compliance

Figure 1 displays the Local Group Policy Editor with the BitLocker policy objects displayed.

BitLocker configured by using policy settings to centralize management of the feature

Figure 1. BitLocker configured by using policy settings to centralize management of the feature

To configure the local policy settings, complete the following steps:

  1. Launch the Local Group Policy Editor by searching for gpedit.msc on the Start screen or typing gpedit.msc in the Run dialog box (Windows logo key+R).

  2. Expand the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path.

  3. Select the policy object you want to work with.

  4. Select Enabled.

  5. Review the explanation provided with the object and configure available options as needed.

  6. Tap or click OK to save the changes.
Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us