Group Policies regarding Bitlocker and TPM

Last time we talked about what TPM is and how it works and also about clean boot of pcr’s. This time I will like to throw some light on group policies involved with bitlocker.

I will only talk about a few and not all. There is a group policy which if enabled makes user to store backup recovery information in AD which later helps in recovering the OS partition by the help of help desk admin. By default this group policy is enabled but we can disable it too. If due to some problem when you are in the process of enabling bitlocker and unable to access DC, you will get an error message and it won’t let you to enable bitlocker as it is not able to see DC and won’t be able to store backup recovery information. There are few options with this group policy…. Require bitlocker backup to AD DS. If this is unselected you will be able to enable bitlocker even if unable to see DC but will get an event logged on and no error message to the user. You can backup recovery passwords or key packages or both and TPM owner password hash too. You can also choose encryption algorithm and key size but by default it is AES 128-bit with diffuser. I will try to explain what we mean by diffuser in one of the next entries. There is another group policy which makes user to use multi factor authentication which is TPM + pin or TPM + startup key on USB. With longhorn bitlocker (also with vista sp1) you will be able to use TPM+ pin+ USB too. Similarly there are few other group policies for TPM like turn on TPM owner password backup to AD, by default this policy is enabled. You can also block a few TPM commands with another group policy.

Computer configuration-administrative templates-windows components-bitlocker drive encryption

Computer configuration-administrative templates-system-trusted platform module services.

Gaurav Anand

------------------------------

This posting is provided "AS IS" with no warranties, and confers no rights.