Right-click it, and choose Edit.Īpply the following settings under Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Bitlocker Drive Encryption: In this example, we will use OU=Admin Machines,OU=Staff_Computers,OU=Staff.Ĭreate a new GPO object (i.e.
Store BitLocker recovery information in Active Directory Domain Services = Enabled.
Provide the unique idendifiers for your organization = Enabled.
Allowed BitLocker identification field = SD57.
Choose how BitLocker-protected fixed drives can be recovered = Enabled.
Save BitLocker recovery information to AD DS for fixed data drives.
Backup recovery passwords and key packages.
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives.
Require additional authentication at startup = Enabled.
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
Do not allow startup key and PIN with TPM.
Configure use of hardware-based encryption for operating system drives = Enabled.
Use BitLocker software-based encryption when hardware encryption is not available.
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption.
Choose how BiLocker-protected operating system drives can be recovered = Enabled.
Omit recovery options from the BitLocker setup wizard.
Configure use of hardware-based encryption for removable data drives = Enabled.
Restrict crypto algorithms or cipher suites to the following: `2.16.840.1.101.3.4.1.2 2.
Configure use of passwords for removable data drives = Enabled.
Require password for removable data drive.
Minimum password length for removable data drive = 8.
Choose how BitLocker-protected removable drives can be recovered = EnabledĬlose the Group Policy Management Console.
Update the Group Policy from the command prompt: Right-click on the C: and choose “Turn on Bitlocker”. The wizard will start, then ask you to enter a PIN that is between 6-20 numbers long. On the next screen, choose “New encryption mode” and click Next On the next screen, choose “Encrypt used disk space only” and click Next Enter it, then click “Set PIN” to continue.
0 kommentar(er)
