Scenario 7: Specifying How to Unlock BitLocker-Protected Fixed or Removable Data Drives (Windows 7)

Applies To: Windows 7

In this scenario, you will determine which unlock methods for fixed and removable drives can be used by configuring the appropriate Group Policy settings.

Before you start

To complete the procedures in this scenario:

  • You must be able to provide administrative credentials.

  • Your test computer must be part of a domain if you want to test password complexity requirements.

  • You must have separate fixed data drives and removable drives available.

  • You must boot from a BitLocker-protected operating system drive to use the automatic unlock method with fixed data drives.

  • You must have deployed a public key infrastructure (PKI) architecture for use with smart cards.

  • Your computer must meet BitLocker requirements. For more information, see "Requirements for BitLocker Drive Encryption" in BitLocker Drive Encryption Step-by-Step Guide for Windows 7.

Note

If BitLocker is enabled on the operating system drive, when you turn on BitLocker for a fixed data drive, you will have the option of allowing the drive to be automatically unlocked when the operating system drive is unlocked. The following procedure assumes that the fixed data drive was BitLocker-protected previously and the automatic unlock method was not selected. Removable data drives must have either a password or a smart card unlock method in addition to the automatic unlock method. Automatic unlocking cannot be directly specified by policy settings.

To configure a BitLocker-protected fixed or removable data drive to automatically unlock

  1. Click Start, click Computer, and then right-click the BitLocker-protected fixed or removable data drive that you want to automatically unlock.

  2. Click Manage BitLocker, click Automatically unlock this drive on this computer.

To specify password usage for BitLocker-protected fixed or removable data drives

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Fixed Data Drives.

  4. By default, passwords can be used with BitLocker to protect fixed data drives. The default settings do not enforce any password complexity requirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configure use of passwords for fixed data drives to open the policy setting.

  5. Click Disabled to prevent the use of passwords with fixed data drives, or click Enabled, and configure the following settings:

    • Select the Require password for fixed data drive check box if you want to require the user to enter a password to turn on BitLocker on a fixed data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.

    • Under Configure password complexity for fixed data drives, you can choose to allow, require, or not allow password complexity rule enforcement with BitLocker fixed data drive passwords.

      If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policy setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. In addition, the computer must be connected to the domain when the BitLocker password is set for the drive (such as when BitLocker is turned on or when a password is changed) so that the domain controller can validate that the password specified for the drive meets the complexity rules.

      If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if a connection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password is compliant with the complexity rules defined by the password policy.

      If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is a complex password.

    • Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the password specified for the drive must be. Passwords must always be at least 8 characters.

  6. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  7. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives.

  8. By default, passwords can be used with BitLocker to protect removable data drives. The default settings do not enforce any password complexity requirements but do require that the password be at least 8 characters. To specify different settings, in the details pane, double-click Configure use of passwords for removable data drives to open the policy setting.

  9. Click Disabled to prevent the use of passwords with removable data drives, or click Enabled, and configure the following settings:

    • Select the Require password for removable data drive check box if you want to require the user to enter a password to turn on BitLocker on a removable data drive. If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.

    • Under Configure password complexity for removable data drives, you can choose to allow, require, or not allow password complexity rule enforcement with BitLocker removable data drive passwords.

      If you choose Require password complexity, you must have also configured the Password must meet complexity requirements policy setting located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, and the computer must be connected to the domain when BitLocker is turned on so that the domain controller can validate that the password specified for the drive meets the complexity rules.

      If you choose Allow password complexity, BitLocker will attempt to connect to the domain controller to validate the password, but if a connection is not possible it will accept the password and encrypt the drive by using the password regardless of whether the password is compliant with the complexity rules defined by the password policy.

      If you choose Do not allow password complexity, BitLocker will not attempt to validate whether or not the password specified is a complex password.

    • Under Minimum password length for fixed data drive, you can specify a number between 8 and 99 that defines how long the password specified for the drive must be. Passwords must always be at least 8 characters.

  10. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  11. Close the Local Group Policy Editor.

  12. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.

To specify smart card usage for BitLocker-protected fixed or removable data drives

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Fixed Data Drives.

  4. By default, smart cards can be used with BitLocker to protect fixed data drives. To require or prevent the use of smart cards, in the details pane, double-click Configure use of smart cards on fixed data drives to open the policy setting.

  5. Click Disabled to prevent the use of smart cards with fixed data drives.

  6. Click Enabled, and select the Require use of smart cards on fixed data drives check box if you want to require the user to insert a smart card to turn on BitLocker.

    If other unlock methods have been configured for the drive, any of those methods may be used to unlock the drive.

  7. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  8. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click BitLocker Drive Encryption

  9. If you have multiple smart card certificates, you can specify which smart card certificates can be used with BitLocker. To do this, in the details pane, double-click the Validate smart card certificate usage rule compliance policy setting.

    By default, BitLocker uses smart card certificates that have the enhanced key usage (EKU) attribute equal to the BitLocker object identifier of 1.3.6.1.4.1.311.67.1.1, but BitLocker does not require the EKU attribute to be present for the certificate to be used with BitLocker. However, you can set this policy to Enabled and type a value in Object identifier to require that a certificate have a certain EKU attribute before it is used with BitLocker. If you set this policy to Disabled or Not Configured, the default object identifier is used.

  10. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  11. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, click Removable Data Drives.

  12. By default, smart cards can be used with BitLocker to protect removable data drives. To require or prevent the use of smart cards, in the details pane, double-click Configure use of smart cards on removable data drives to open the policy setting.

  13. Click Disabled to prevent the use of smart cards with removable data drives.

  14. Click Enabled, and select the Require smart card for removable data drive check box if you want to require the user to insert a smart card to turn on BitLocker.

  15. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  16. Close the Local Group Policy Editor.

  17. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.

By completing the procedures in this scenario, you have specified which methods users can use to unlock BitLocker-protected drives. These policies are enforced on drives when BitLocker is turned on.