Enable Bitlocker using Group policy - Josh Ogden's Wiki

#Security #Windows #Microsoft #Encryption #GroupPolicy >[!info] BitLocker Drive Encryption >This guide covers BitLocker implementation using Group Policy. BitLocker is part of Microsoft's comprehensive encryption strategy, alongside [[Microsoft EFS|Encrypting File System (EFS)]] for file-level encryption. >[!related] >Related encryption solutions: >- [[Full Encryption implementation]] - Complete encryption strategy >- [[Microsoft EFS]] - File-level encryption >- [[HMS Unit for encryption]] - Hardware security module integration ### Bitlocker Group Policy Configuration 1. **Enable TPM Initialization**: Make sure that the TPM (Trusted Platform Module) is correctly initialized and ownership is taken. This ensures the TPM can be used for storing BitLocker keys. 2. **Require Additional Authentication at Startup**: Configure the policy to require additional authentication methods, such as a PIN or a USB key. This adds an extra layer of security beyond the TPM. 3. **Configure Recovery Password and Key Storage**: Mandate that recovery passwords are stored in Active Directory. This makes it easier to recover keys if a user forgets their PIN or loses their USB key. 4. **Deny Write Access to Removable Drives Not Protected by BitLocker**: Ensure that users can only write data to removable drives if they’re BitLocker-protected. This helps prevent data leaks. 5. **Choose Drive Encryption Method and Cipher Strength**: Opt for the strongest encryption method available. AES 256-bit encryption is usually the safest choice. 6. **Enable BitLocker Network Unlock**: This allows devices to automatically unlock BitLocker when they are connected to a trusted network, reducing the occurrence of unnecessary recovery key prompts. 7. **Auto-Unlock for Fixed Data Drives**: Disable this feature to ensure that all fixed data drives require authentication upon each connection. 8. **Enable Secure Boot**: Requires devices to boot with Secure Boot to ensure that the device’s firmware hasn’t been tampered with. While setting these policies, always remember to balance security and usability. Communicate changes to your team and provide training if needed so everyone knows how to handle encrypted drives and recovery keys properly.