Dell Recommended Policies for Dell Encryption Enterprise BitLocker Manager

Summary: Dell Encryption Enterprise BitLocker Manager (formerly Dell Data Protection | BitLocker Manager) offers protection and security by leveraging Microsoft's integrated full volume encryption protocol, commonly referenced as BitLocker. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Affected Products:

  • Dell Encryption Enterprise BitLocker Manager
  • Dell Data Protection | BitLocker Manager

These offer a full volume encryption mechanism, and multiple scenarios to secure the operating system, along with securing the boot cycle from attacks.

Dell provides a single pane of glass to manage devices protected with BitLocker, along with a broad ability to report on the protection of these devices.

Note: To view the current protection status of the environment, use the Dashboard entry on the Dell Encryption (formerly Dell Data Protection | Encryption) console.

To set the BitLocker Encryption policy, to Dell recommended:

  1. Go to Enterprise.
  2. Click BitLocker Encryption.
    Click BitLocker Encryption
  3. To view all settings, click Show advanced settings.
    Click Show Advanced settings

The Suggested Settings are below:

Note: This article was last updated November 2019. Policies are for Dell Security Management Server v10.2.9.
Policy Dell Recommended Setting Policy Explanation
BitLocker Encryption On Enables and Disables the BitLocker Manager Plugin (this plug-in is required for all Dell BitLocker manager policies to properly apply)
TPM Manager Enabled On Enables and Disables the TPM Management Plugin (this plug-in activates the TPM if it is "On" but not properly activated)
Disable Sleep Mode Off When enabled, during encryption the device is not allowed to go into any sleep state.
Encrypt System Drive Turn On Encryption When set to Do Not Manage, the local administrators of devices can modify BitLocker.
Setting this to Turn On Encryption forces encryption of the volume and local administrators cannot modify it.
Setting this to Turn Off Encryption forces a decryption of the volume and local administrators cannot modify it.
Encrypt Fixed Drives Do Not Manage When set to Do Not Manage, the local administrators of devices can modify BitLocker.
Setting this to Turn On Encryption forces encryption of the volume and local administrators cannot modify it.
Setting this to Turn Off Encryption forces a decryption of the volume and local administrators cannot modify it.
Encrypt Removable Drives Do Not Manage When set to Do Not Manage, the local administrators of devices can modify BitLocker.
Setting this to Turn On Encryption forces encryption of the volume and local administrators cannot modify it.
Setting this to Turn Off Encryption forces a decryption of the volume and local administrators cannot modify it.
Require other Authentication at System Startup. Enabled This property enables the next five policies and enables for defined protectors to be enabled on managed endpoints.
Allow BitLocker Encryption Without a Compatible TPM. Enabled When Enabled, ensures that older TPM models are supported, and enables the ability to escrow BitLocker keys to USB on devices without TPMs.
Configure TPM Startup Required When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Configure TPM Startup PIN Do Not Allow When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Configure TPM Startup Key Do Not Allow When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Configure TPM Startup Key and PIN Do Not Allow When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Disable BitLocker on Self-Encrypting Drives Disabled When set to Enable, if a Self-Encrypting Drive (SED) is detected, BitLocker does not protect the endpoint.
Setting this policy to Disabled allows for BitLocker to protect the endpoint, regardless of the disk’s capabilities.
Policy Dell Recommended Setting Policy Explanation
Fixed Data Volume Settings
Configure the Use of Smart Cards on Fixed Data Drives Disallow This policy displays the options for protecting a Fixed (non-Operating System Volume) Disk, when "Encrypt Fixed Disks" is set to "Turn On Encryption."
When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Disallow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Deny Write Access to Fixed Drives Not Protected by BitLocker Disabled With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.
When set to Disabled all fixed data drives on the computer are mounted with Read and Write access.
When set to Enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives.
When set to Enabled for Organization, users with devices only with the Organization Identifier set within the policy receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. All other devices have all fixed data drives on the computer that is mounted with Read and Write access.
Allow Access to BitLocker Protected Fixed Data Drives from Earlier Versions of Windows Enabled When set to Enabled, data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.
When set to Disabled, data drives that are formatted with the FAT file system cannot be unlocked on computers running earlier versions of Windows.
Do Not Install BitLocker to Go Reader on FAT formatted Fixed Drives Disabled When selected, this prevents the BitLocker To Go Reader from being installed, preventing users with devices running older versions of Windows from accessing BitLocker protected drives.
Configure Use of Passwords for Fixed Data Drives Allow This policy displays the options for protecting a Fixed (non-Operating System Volume) Disk, when "Encrypt Fixed Disks" is set to "Turn On Encryption."
When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Disallow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Configure Password Complexity for Fixed Data Drives Require When set to Required, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
When set to Allow, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the password complexity, and the drive is encrypted by using that password as a protector.
When set to Do Not Allow, no password complexity validation is performed.
Minimum Password Length for Fixed Data Drives 8 Sets the minimum length for passwords for BitLocker protected Fixed-Disk volumes (this setting requires that Configure Use of Passwords for Fixed Data Drives is set to either Require or Allow)
Encryption Type for Fixed Data Drives Full Encryption This policy controls whether fixed data drives use Used Space Only encryption or Full encryption. Used Space Only is required for Virtual Machines that Bit Locker protects.
Choose How BitLocker-protected Fixed Drives Can be Recovered Disabled Parent to the next seven policies.
When Enabled, it allows for the configuration of additional recovery options.
When Disabled, recovery is only available through the Dell Security Management Server or Dell Security Management Server Virtual.
Allow Data Recovery Agent for Protected Fixed Data Drives Disabled Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered
Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected drives. Before a data recovery agent can be used, it must be added from Public Key Policies, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
For more information about how a Data Recovery Agent can be used to recover a BitLocker protected device, see: https://blogs.technet.microsoft.com/askcore/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives/ This hyperlink is taking you to a website outside of Dell Technologies.
Configure User Storage of BitLocker 48-digit Recovery Password Allow Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected computer may not be possible.
Configure User Storage of BitLocker 256-bit Recovery Key Allow Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected computer may not be possible.
Omit Recovery Options from the BitLocker Setup Wizard Disabled Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered.
Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. When Enabled, the policy setting determines the BitLocker recovery options.
Save BitLocker Recovery Information to AD DS for Fixed Data Drives Enabled Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered.
Parent to the next two policies:
Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS).
BitLocker Recovery Information to Store in AD DS Recovery Passwords and Key Packages Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Fixed Data Drives.
Recovery password and key packages, the BitLocker recovery password, and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select Recovery password only, the recovery password is the only thing stored in AD DS.
Do Not Enable BitLocker Until Recovery Information is Stored in AD DS for Fixed Data Drives Disabled Child of the policy Choose How BitLocker-protected Fixed Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Fixed Data Drives.
Select the Do not enable BitLocker until recovery information is stored in AD DS for fixed drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Configure Use of Hardware-Based Encryption for Fixed Data Drives Enabled Parent to the next four policies.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use Hardware-Based Encryption for Fixed Data Drives Enabled Child of the policy Configure Use of Hardware-Based Encryption for Fixed Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use BitLocker Software-Based Encryption on Fixed Data Drives When Hardware Encryption is Not Available Enabled Child of the policy Configure Use of Hardware-Based Encryption for Fixed Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Restrict Crypto Algorithms and Cipher Suites Allowed for Hardware-Based Encryption on Fixed Data Drives Disabled Child of the policy Configure Use of Hardware-Based Encryption for Fixed Data Drives.
The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption.
Configure Specific Crypto Algorithms and Cipher Suites Settings on Fixed Data Drives 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42 Child of the policy Configure Use of Hardware-Based Encryption for Fixed Data Drives.
Encryption algorithms are specified by object identifiers (OID) and are separated by commas.
Example OIDs for encryption ciphers:
  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Global Settings
Default Folder Location to Save Recovery Password (Blank) When set, specify the path that is used as the default folder location when the user chooses the option to save the recovery password in a folder. A fully qualified path or include the target computer's environment variables in the path can be leveraged. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.
Encryption Method and Cipher Strength AES256 with Diffuser
Note: This policy does not apply to encrypted drives. Encrypted drives use their own algorithm, which the drive sets during partitioning.
Enable Organizational Unique Identifiers Disabled Parent to the next two policies.
When Enabled, allows the configuration of the identification field on BitLocker-protected drives and any allowed identification field that your organization uses.
These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool.
An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
Note: Enable Organizational Unique Identifiers can be used with the Deny write access to removable drives not protected by BitLocker policy setting to help control the use of removable drives in your organization.
Set Organizational Unique Identifiers (Blank) Child of policy Enable Organizational Unique Identifiers.
This is an alphanumeric value to set a unique identifier for your devices to ensure that your company manages them.
This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool.
Set Allowed Organizational Unique Identifiers (Blank) Child of policy Enable Organizational Unique Identifiers.
This is an alphanumeric value to set a unique identifier for your devices to ensure that your company manages them.
This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool.
Note: It is recommended that the policy Set Allowed Organizational Unique Identifiers and Set Organizational Unique Identifiers match to avoid issues during recovery.
Prevent Memory Overwrite on Restart Disabled When Disabled, BitLocker secrets are wiped from memory. When Enabled, BitLocker secrets remain in memory, which may improve performance, though the BitLocker secrets are exposed to additional risk.
Enable Smart Card Certificate Identifier Disabled When Enabled, the object identifier that is specified in the Object identifier setting of a Certificate must match the object identifier in the policy Smart Card Certificate Identifier.
Smart Card Certificate Identifier 1.3.6.1.4.1.311.67.1.1 The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that in this policy setting.
The default object identifier is 1.3.6.1.4.1.311.67.1.1.
Operating System Volume Settings
Allow Enhanced PINs for Startup. Disabled Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces).
Note: Not all computers support enhanced PIN characters in the preboot environment.
Number of Characters Required in PIN 6 Defines the minimum number of characters that are required for the preboot environment
Note: The minimum length for the BitLocker PIN was increased to six characters, beginning with Windows 10, version 1703.
Allow Network Unlock at Startup on Operating System Drives Disabled This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
For more information about enabling Network Unlock, reference https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock This hyperlink is taking you to a website outside of Dell Technologies..
Allow SecureBoot on Operating System Drives Enabled Controls how BitLocker-enabled computer volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
Disallow Standard Users from Changing the PIN on Operating System Drives Disabled This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
When Enabled, users who do not have local administrator privileges cannot modify the PIN on the endpoint.
When Disabled, all users on an endpoint can modify the preboot PIN.
Enable Use of Preboot Keyboard Input on Slates Enabled When Enabled, it allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
Reset Platform Validation Data After Recovery Enabled When Enabled, platform validation data is refreshed when Windows is started following a BitLocker recovery.
When Disabled, platform validation data is not refreshed after a BitLocker recovery. This may cause recoveries after every boot if the platform’s base configuration has changed.
Choose How BitLocker-protected Operating System Drives Can be Recovered Disabled Parent to the next seven policies.
When Enabled, it allows for the configuration of additional recovery options.
When Disabled, recovery is only available through the Dell Security Management Server or Dell Security Management Server Virtual.
Allow Data Recovery Agent for Protected Operating System Drives Enabled Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered.
Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from Public Key Policies, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
For more information about how a Data Recovery Agent can be used to recover a BitLocker protected device, reference: https://blogs.technet.microsoft.com/askcore/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives/ This hyperlink is taking you to a website outside of Dell Technologies.
Configure User Storage of BitLocker 48-digit Recovery Password Allow Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected computer may not be possible.
Configure User Storage of BitLocker 256-bit Recovery Key Allow Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected computer may not be possible.
Omit Recovery Options from the BitLocker Setup Wizard Disabled Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered.
Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive.
When Enabled, the policy setting determines the BitLocker recovery options for the drive.
Save BitLocker Recovery Information to AD DS for Operating System Drives Enabled Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered.
Parent to the next two policies:
Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS).
BitLocker Recovery Information to Store in AD DS (Windows Server 2008 Only) Recovery Password and Key Packages Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Operating System Data Drives.
Recovery password and key packages, the BitLocker recovery password, and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select Recovery password only, then only the recovery password is stored in AD DS.
Do Not Enable BitLocker Until Recovery Information is Stored in AD DS for Operating System Drives Disabled Child of the policy Choose How BitLocker-protected Operating System Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Operating System Data Drives.
Select the Do not enable BitLocker until recovery information is stored in AD DS for operating system drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Configure Use of Hardware-Based Encryption for Operating System Drives Enabled Parent to the next four policies.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use Hardware-Based Encryption for Operating System Drives Enabled Child of the policy Configure Use of Hardware-Based Encryption for Operating System Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use BitLocker Software-Based Encryption on Operating System Drives When Hardware Encryption is Not Available Enabled Child of the policy Configure Use of Hardware-Based Encryption for Operating System Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption.

Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Restrict Crypto Algorithms and Cipher Suites Allowed for Hardware-Based Encryption on Operating System Drives Disabled Child of the policy Configure Use of Hardware-Based Encryption for Operating System Data Drives.
The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption.
Configure Specific Crypto Algorithms and Cipher Suites Settings on Operating System Drives 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42 Child of the policy Configure Use of Hardware-Based Encryption for Operating System Data Drives.
Encryption algorithms are specified by object identifiers (OID) and separated by commas
Example OIDs for encryption ciphers:
  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Encryption Type for Operating System Drives Full Encryption This policy controls whether the data drives use Used Space Only encryption or Full encryption. Used Space Only is required for Virtual Machines that BitLocker protects.
Configure Use of Passwords for Operating System Drives Not Configured This policy controls how non-TPM based computers use the password protector. Used with the Configure Password Complexity for Operating System Drives policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length.
When Enabled, Users can configure a password that meets the requirements you define.
When Not Configured or Disabled, the default length constraint of eight characters applies to operating system drive passwords and no complexity checks occur.
Note: Passwords cannot be used if FIPS-compliance is enabled.
Configure Password Complexity for Operating System Drives Require When set to Required, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
When set to Allow, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the password complexity, and the drive is encrypted by using that password as a protector.
When set to Do Not Allow, no password complexity validation is performed.
Minimum Password Length for Operating System Drives 8 Sets the minimum password length for BitLocker protected drives
Note: The settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Require ASCII-Only Passwords for Operating System Drives Disabled When Enabled, Unicode characters are not allowed within the password prompt for Operating System drives.
When Disabled, all characters are accepted.
Use Enhanced Boot Configuration Data Profile Not Configured (Altering this policy to a value other than 'Not Configured' may cause recovery prompts to occur when the Hyper-V feature is enabled on Windows 10). Parent to the next two policies.
This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of Platform Configuration Register (PCR) indexes that range from 0 to 23.
Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data Profile Group Policy setting is ignored.
Verify other BCD Settings (Blank) Child of Use Enhanced Boot Configuration Data Profile.
For information about customizing BCD settings, see https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker This hyperlink is taking you to a website outside of Dell Technologies.
Note: The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is in the inclusion or the exclusion list.
Exclude other BCD Settings (Blank) Child of Use Enhanced Boot Configuration Data Profile.
For information about customizing BCD settings, see https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker This hyperlink is taking you to a website outside of Dell Technologies.
Note: The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is in the inclusion or the exclusion list.
Configure TPM Platform Validation Profile Disabled Parent of Configure Specific TPM Platform Settings.
When Enabled, this policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
Configure Specific TPM Platform Settings Dell Technologies recommends using Microsoft's current default PCRs unless required otherwise Child of Configure TPM Platform Validation Profile.
A platform validation profile consists of PCR indexes that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
  • Core root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
  • Option ROM Code (PCR 2)
  • Master Boot Record (MBR) Code (PCR 4)
  • NTFS Boot Sector (PCR 8)
  • NTFS Boot Block (PCR 9)
  • Boot Manager (PCR 10)
  • BitLocker Access Control (PCR 11)
The following list identifies all the PCRs available:
  • PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in computer ROM, ACPI static tables, which are embedded SMM code, and BIOS code
  • PCR 1: Platform and motherboard configuration and data (hand-off tables and EFI variables that affect computer configuration)
  • PCR 2: Option ROM code
  • PCR 3: Option ROM data and configuration
  • PCR 4: Master Boot Record (MBR) code or code from other boot devices
  • PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
  • PCR 6: State transition and wake events
  • PCR 7: Computer manufacturer-specific
  • PCR 8: NTFS boot sector
  • PCR 9: NTFS boot block
  • PCR 10: Boot manager
  • PCR 11: BitLocker access control
  • PCR 12 - 23: Reserved for future use
    Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
Configure BIOS TPM Platform Validation Profile Disabled Parent of Configure Specific BIOS TPM Platform Settings.
When set to Enabled, this policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
Configure Specific BIOS TPM Platform Settings Dell Technologies recommends using Microsoft's current default PCRs unless required otherwise Child of Configure TPM Platform Validation Profile.
A platform validation profile consists of PCR indexes that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
  • Core root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
  • Option ROM Code (PCR 2)
  • Master Boot Record (MBR) Code (PCR 4)
  • NTFS Boot Sector (PCR 8)
  • NTFS Boot Block (PCR 9)
  • Boot Manager (PCR 10)
  • BitLocker Access Control (PCR 11)
The following list identifies all the PCRs available:
  • PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in computer ROM, ACPI static tables, which are embedded SMM code, and BIOS code
  • PCR 1: Platform and motherboard configuration and data (hand-off tables and EFI variables that affect computer configuration)
  • PCR 2: Option ROM code
  • PCR 3: Option ROM data and configuration
  • PCR 4: Master Boot Record (MBR) code or code from other boot devices
  • PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
  • PCR 6: State transition and wake events
  • PCR 7: Computer manufacturer-specific
  • PCR 8: NTFS boot sector
  • PCR 9: NTFS boot block
  • PCR 10: Boot manager
  • PCR 11: BitLocker access control
  • PCR 12 - 23: Reserved for future use
    Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
Configure UEFI TPM Platform Validation Profile Disabled Parent of Configure Specific UEFI TPM Platform Settings.
When set to Enabled, this policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
Configure Specific UEFI TPM Platform Settings Dell Technologies recommends using Microsoft's current default PCRs unless required otherwise Child of Configure TPM Platform Validation Profile.
A platform validation profile consists of PCR indexes that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
  • Core root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
  • Option ROM Code (PCR 2)
  • Master Boot Record (MBR) Code (PCR 4)
  • NTFS Boot Sector (PCR 8)
  • NTFS Boot Block (PCR 9)
  • Boot Manager (PCR 10)
  • BitLocker Access Control (PCR 11)
The following list identifies all the PCRs available:
  • PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in computer ROM, ACPI static tables, which are embedded SMM code, and BIOS code
  • PCR 1: Platform and motherboard configuration and data hand-off tables and EFI variables that affect computer configuration)
  • PCR 2: Option ROM code
  • PCR 3: Option ROM data and configuration
  • PCR 4: Master Boot Record (MBR) code or code from other boot devices
  • PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
  • PCR 6: State transition and wake events
  • PCR 7: Computer manufacturer-specific
  • PCR 8: NTFS boot sector
  • PCR 9: NTFS boot block
  • PCR 10: Boot manager
  • PCR 11: BitLocker access control
  • PCR 12 - 23: Reserved for future use
    Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
     
    Note: The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
Removable Storage Settings
Allow User to Apply BitLocker Protection on Removable Drives Enabled When Enabled, it allows the user to Enable BitLocker to protect Removable Drives.
When Disabled, the policy Encrypt Removable Drives controls when BitLocker protects Removable Drives.
Allow User to Suspend and Decrypt BitLocker Protection on Removable Data Drives Enabled When Enabled, allows the user to remove BitLocker from the drive, or to suspend the encryption while performing maintenance.
When Disabled, the policy Encrypt Removable Drives controls when BitLocker protects Removable Drives.
Configure Use of Smart Cards on Removable Data Drives Disallow When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Deny Write Access to Removable Drives Not Protected by BitLocker Disabled This policy setting is used to require that removable drives are encrypted before granting write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
When Enabled, devices that are not BitLocker protected do not allow data to be written to the disk, though data can be read.
When Disabled, devices that are not BitLocker protected allow for data to be read and written.
Allow Access to BitLocker Protected Removable Data Drives from Earlier Versions of Windows Enabled When set to Enabled, data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.
When set to Disabled, data drives that are formatted with the FAT file system cannot be unlocked on computers running earlier versions of Windows.
Do Not Install BitLocker to Go Reader on FAT formatted Removable Drives Disabled When selected, this prevents the BitLocker To Go Reader from being installed, preventing users with devices running older versions of Windows from accessing BitLocker protected drives.
Configure Use of Passwords for Removable Data Drives Allow When set to Required, this is the only option for end users. No prompt is given to the end user on an endpoint.
When set to Allow, enable this setting as a selectable option to the end user. When multiple items are set to "Allow," the end user is presented with a selection box to make their choice.
When set to Do Not Allow, this option is unavailable, and is not a selectable option either within the Dell Encryption UI, nor in Windows settings.
Configure Password Complexity for Removable Data Drives Require When set to Required, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
When set to Allow, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the password complexity, and the drive is encrypted by using that password as a protector.
When set to Do Not Allow, no password complexity validation is performed.
Minimum Password Length for Removable Data Drives 8 Sets the minimum length for passwords for BitLocker protected volumes (this setting requires that Configure Use of Passwords for Removable Data Drives is set to either Require or Allow)
Encryption Type for Removable Data Drives Full Encryption This policy controls whether data drives use Used Space Only encryption or Full encryption. Used Space Only is required for Virtual Machines that BitLocker protects.
Choose How BitLocker-protected Removable Drives Can be Recovered Disabled Parent to the next seven policies.
When Enabled, it allows for the configuration of additional recovery options.
When Disabled, recovery is only available through the Dell Security Management Server or Dell Security Management Server Virtual.
Allow Data Recovery Agent for Protected Removable Data Drives Enabled Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered.
Allow data recovery agent check box is used to specify whether a data recovery agent can be used with BitLocker-protected drives. Before a data recovery agent can be used, it must be added from Public Key Policies, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
For more information about how a Data Recovery Agent can be used to recover a BitLocker protected device, see: https://blogs.technet.microsoft.com/askcore/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives/ This hyperlink is taking you to a website outside of Dell Technologies.
Configure User Storage of BitLocker 48-digit Recovery Password Allow Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected drive may not be possible.
Configure User Storage of BitLocker 256-bit Recovery Key Allow Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered.
When set to Required, BitLocker recovery information is forced to be generated and accessible to device administrators.
When set to Allow, BitLocker recovery information is automatically generated and accessible to device administrators.
When set to Do Not Allow, BitLocker recovery information is not created.
Note: When set to Do Not Allow, recovery of a BitLocker protected drive may not be possible.
Omit Recovery Options from the BitLocker Setup Wizard for Removable Media Disabled Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered.
Select Omit recovery options from the BitLocker setup wizard to prevent users from specifying recovery options when they enable BitLocker on a drive. When Enabled, the policy setting determines the BitLocker recovery options for the drive.
Save BitLocker Recovery Information to AD DS for Removable Data Drives Enabled Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered.
Parent to the next two policies.
Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS).
BitLocker Recovery Information to Store in AD DS for Removable Data Drives Recovery Passwords and Key Packages Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Removable Data Drives.
Recovery password and key packages, the BitLocker recovery password, and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select Recovery password only, then only the recovery password is stored in AD DS.
Do Not Enable BitLocker Until Recovery Information is Stored in AD DS for Removable Data Drives Disabled Child of the policy Choose How BitLocker-protected Removable Drives Can be Recovered and Save BitLocker Recovery Information to AD DS for Removable Data Drives.
Select the Do not enable BitLocker until recovery information is stored in AD DS for Removable drives check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Configure Use of Hardware-Based Encryption for Removable Data Drives Enabled Parent to the next four policies.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use Hardware-Based Encryption for Removable Data Drives Enabled Child of the policy Configure Use of Hardware-Based Encryption for Removable Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Use BitLocker Software-Based Encryption on Removable Data Drives When Hardware Encryption is Not Available Enabled Child of the policy Configure Use of Hardware-Based Encryption for Removable Data Drives.
This policy controls how BitLocker reacts to computers that are equipped with encrypted drives when they are used as data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. Having this policy that is enabled on drives with older firmware may also expose various CVEs outlined at: https://www.kb.cert.org/vuls/id/395981/ This hyperlink is taking you to a website outside of Dell Technologies.
Restrict Crypto Algorithms and Cipher Suites Allowed for Hardware-Based Encryption on Removable Data Disabled Child of the policy Configure Use of Hardware-Based Encryption for Removable Data Drives.
The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption.
Configure Specific Crypto Algorithms and Cipher Suites Settings on Removable Data Drives 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42 Child of the policy Configure Use of Hardware-Based Encryption for Removable Data Drives.
Encryption algorithms are specified by object identifiers (OID) and separated by commas.
Example OIDs for encryption ciphers:
  • Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Note: For further information about these policies, reference Microsoft's BitLocker Policy Guide KB https://technet.microsoft.com/en-us/library/ee706521(v=ws.10).aspx This hyperlink is taking you to a website outside of Dell Technologies..

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000125922
Article Type: How To
Last Modified: 06 Sep 2024
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.