Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement general Bitlocker configuration capability #51

Open
fullenw1 opened this issue Sep 22, 2019 · 3 comments
Open

Implement general Bitlocker configuration capability #51

fullenw1 opened this issue Sep 22, 2019 · 3 comments
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@fullenw1
Copy link

Description

Currently with this module we can encrypt drives.
However Bitlocker has also a general configuration which can be set with GPO under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption or with registry values under the HKLM:\SOFTWARE\Policies\Microsoft\FVE key.

According to the official document Group Policy Settings Reference Spreadsheet Windows 1809, below are the values which can be implemented.

Registry value data

Unfortunately I could not find an official Microsoft document describing the type (String, DWord, ...) and the data for each registry value.

However, I already gathered the information from here:
https://getadmx.com/HKLM/SOFTWARE/Policies/Microsoft/FVE

Proposed properties

Store BitLocker recovery information in Active Directory Domain Services

HKLM\Software\Policies\Microsoft\FVE\ActiveDirectoryBackup
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\RequireActiveDirectoryBackup
Dword 0|1 False|True

HKLM\Software\Policies\Microsoft\FVE\ActiveDirectoryInfoToStore
Dword 1|2 Recovery passwords and key packages|Recovery passwords only

Choose how users can recover BitLocker-protected drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseRecoveryPassword
Dword 0|1 Do not allow recovery password|Require recovery password

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseRecoveryDrive
Dword 0|1 Do not allow recovery key|Require recovery key

Choose default folder for recovery password

HKLM\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath
ExpandString
Specify a fully qualified path or include the computer's environment variables in the path.
For example, enter "\server\backupfolder", or "%SecureDriveEnvironmentVariable%\backupfolder"

Choose drive encryption method and cipher strength

HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod
DWord 1|2|3|4 AES 128-bit with Diffuser|AES 256-bit with Diffuser|AES 128-bit|AES 256-bit

Choose drive encryption method and cipher strength

HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodNoDiffuser
DWord 3|4 AES 128-bit|AES 256-bit

Choose drive encryption method and cipher strength

HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsOs
DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit

HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsFdv
DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit

HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsRdv
DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit

Prevent memory overwrite on restart

HKLM\Software\Policies\Microsoft\FVE\MorBehavior
Dword 0|1 Disabled|Enabled

Disable new DMA devices when this computer is locked

HKLM\Software\Policies\Microsoft\FVE\DisableExternalDMAUnderLock
Dword 0|1 Disabled|Enabled

Configure pre-boot recovery message and URL

HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyMessageSource
DWord 0|1|2|3 Disabled|Use default recovery message and URL|Use custom recovery message|Use custom recovery URL

HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyMessage
String

HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyUrl
String

Allow enhanced PINs for startup

HKLM\Software\Policies\Microsoft\FVE\UseEnhancedPin
Dword 0|1 Disabled|Enabled

Configure use of passwords for operating system drives

HKLM\Software\Policies\Microsoft\FVE\OSPassphrase
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\OSPassphraseComplexity
DWord 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity

HKLM\Software\Policies\Microsoft\FVE\OSPassphraseLength
DWord 8-255 Min 8|Max 255

HKLM\Software\Policies\Microsoft\FVE\OSPassphraseASCIIOnly
Dword 0|1 False|True

Reset platform validation data after BitLocker recovery

HKLM\Software\Policies\Microsoft\FVE\TPMAutoReseal
Dword 0|1 Disabled|Enabled

Disallow standard users from changing the PIN or password

HKLM\Software\Policies\Microsoft\FVE\DisallowStandardUserPINReset
Dword 0|1 Disabled|Enabled

Provide the unique identifiers for your organization

HKLM\Software\Policies\Microsoft\FVE\IdentificationField
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\IdentificationFieldString
String

HKLM\Software\Policies\Microsoft\FVE\SecondaryIdentificationField
String

Validate smart card certificate usage rule compliance

HKLM\Software\Policies\Microsoft\FVE\CertificateOID
String

Use enhanced Boot Configuration Data validation profile

HKLM\Software\Policies\Microsoft\FVE\OSUseEnhancedBcdProfile
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalSecurityCriticalSettings
MultiString

HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalExcludedSettings
MultiString

Choose how BitLocker-protected operating system drives can be recovered

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecovery
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryPassword
DWord 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryKey
DWord 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSHideRecoveryPage
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRequireActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryInfoToStore
DWord 1|2 Store recovery passwords and key packages|Store recovery passwords only

Enforce drive encryption type on operating system drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEncryptionType
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEncryptionType
Dword 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption

Require additional authentication at startup

HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey
Dword 0|1|2 Do not allow startup key with TPM|Require startup key with TPM|Allow startup key with TPM

HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN
Dword 0|1|2 Do not allow startup PIN with TPM|Require startup PIN with TPM|Allow startup PIN with TPM

Require additional authentication at startup

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey
Dword 0|1|2 Do not allow startup key with TPM|Require startup key with TPM|Allow startup key with TPM

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN
Dword 0|1|2 Do not allow startup PIN with TPM|Require startup PIN with TPM|Allow startup PIN with TPM

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN
Dword 0|1|2 Do not allow startup key and PIN with TPM|Require startup key and PIN with TPM|Allow startup key and PIN with TPM

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPM
Dword 0|1|2 Do not allow TPM|Require TPM|Allow TPM

Allow network unlock at startup

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageNKP
Dword 0|1 Disabled|Enabled

Configure TPM platform validation profile

HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\0
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\1
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\2
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\3
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\4
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\5
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\6
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\7
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\8
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\9
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\10
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\11
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\12
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\13
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\14
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\15
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\16
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\17
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\18
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\19
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\20
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\21
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\22
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\23

Configure TPM platform validation profile for BIOS-based firmware configurations

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\0
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\1
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\2
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\3
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\4
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\5
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\6
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\7
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\8
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\9
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\10
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\11
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\12
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\13
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\14
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\15
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\16
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\17
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\18
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\19
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\20
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\21
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\22
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\23

Configure TPM platform validation profile for native UEFI firmware configurations

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\0
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\1
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\2
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\3
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\4
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\5
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\6
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\7
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\8
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\9
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\10
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\11
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\12
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\13
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\14
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\15
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\16
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\17
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\18
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\19
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\20
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\21
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\22
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\23

Configure minimum PIN length for startup

HKLM\Software\Policies\Microsoft\FVE\MinimumPIN
DWord 4-20 Min 4|Max 20

Configure use of hardware-based encryption for operating system drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSHardwareEncryption
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSAllowSoftwareEncryptionFailover
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRestrictHardwareEncryptionAlgorithms
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSAllowedHardwareEncryptionAlgorithms
ExpandString

Enable use of BitLocker authentication requiring preboot keyboard input on slates

HKLM\Software\Policies\Microsoft\FVE\OSEnablePrebootInputProtectorsOnSlates
Dword 0|1 Disabled|Enabled

Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.

HKLM\Software\Policies\Microsoft\FVE\OSEnablePreBootPinExceptionOnDECapableDevice
Dword 0|1 Disabled|Enabled

Allow Secure Boot for integrity validation

HKLM\Software\Policies\Microsoft\FVE\OSAllowSecureBootForIntegrity
Dword 0|1 Disabled|Enabled

Choose how BitLocker-protected fixed drives can be recovered

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecovery
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryPassword
Dword 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryKey
Dword 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVManageDRA
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVHideRecoveryPage
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore
Dword 1|2 Backup recovery passwords and key packages|Backup recovery passwords only

Configure use of passwords for fixed data drives

HKLM\Software\Policies\Microsoft\FVE\FDVPassphrase
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\FDVEnforcePassphrase
Dword 0|1 False|True

HKLM\Software\Policies\Microsoft\FVE\FDVPassphraseComplexity
Dword 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity

HKLM\Software\Policies\Microsoft\FVE\FDVPassphraseLength
DWord 8-99 Min 8|Max 99

Deny write access to fixed drives not protected by BitLocker

HKLM\System\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess
Dword 0|1 Disabled|Enabled

Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

HKLM\Software\Policies\Microsoft\FVE\FDVDiscoveryVolumeType
String |FAT32 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\FDVNoBitLockerToGoReader
Dword 0|1 False|True

Configure use of smart cards on fixed data drives

HKLM\Software\Policies\Microsoft\FVE\FDVAllowUserCert
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\FDVEnforceUserCert
Dword 0|1 False|True

Enforce drive encryption type on fixed data drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVEncryptionType
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVEncryptionType
DWord 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption

Configure use of hardware-based encryption for fixed data drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVHardwareEncryption
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVAllowSoftwareEncryptionFailover
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRestrictHardwareEncryptionAlgorithms
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVAllowedHardwareEncryptionAlgorithms
ExpandString

Choose how BitLocker-protected removable drives can be recovered

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecovery
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryPassword
DWord 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryKey
DWord 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVManageDRA
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVHideRecoveryPage
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRequireActiveDirectoryBackup
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryInfoToStore
Dword 1|2 Backup recovery passwords and key packages|Backup recovery passwords only

Control use of BitLocker on removable drives

HKLM\Software\Policies\Microsoft\FVE\RDVConfigureBDE
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\RDVAllowBDE
Dword 0|1 False|True

HKLM\Software\Policies\Microsoft\FVE\RDVDisableBDE
Dword 0|1 False|True

**Configure use of passwords for removable data drives

HKLM\Software\Policies\Microsoft\FVE\RDVPassphrase
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\RDVEnforcePassphrase
Dword 0|1 False|True

HKLM\Software\Policies\Microsoft\FVE\RDVPassphraseComplexity
DWord 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity

HKLM\Software\Policies\Microsoft\FVE\RDVPassphraseLength
DWord 8-99 Min 8|Max 99

Deny write access to removable drives not protected by BitLocker

HKLM\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess
Dword 0|1 False|True

HKLM\Software\Policies\Microsoft\FVE\RDVDenyCrossOrg
Dword 0|1 False|True

Allow access to BitLocker-protected removable data drives from earlier versions of Windows

HKLM\Software\Policies\Microsoft\FVE\RDVDiscoveryVolumeType
String |FAT32 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\RDVNoBitLockerToGoReader
Dword 0|1 False|True

Configure use of smart cards on removable data drives

HKLM\Software\Policies\Microsoft\FVE\RDVAllowUserCert
Dword 0|1 Disabled|Enabled

HKLM\Software\Policies\Microsoft\FVE\RDVEnforceUserCert
Dword 0|1 False|True

Enforce drive encryption type on removable data drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVEncryptionType
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVEncryptionType
DWord 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption

Configure use of hardware-based encryption for removable data drives

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVHardwareEncryption
Dword 0|1 Disabled|Enabled

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowSoftwareEncryptionFailover
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRestrictHardwareEncryptionAlgorithms
Dword 0|1 False|True

HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowedHardwareEncryptionAlgorithms
ExpandString
@mhendric
Copy link
Contributor

Hi @fullenw1 , thanks for the big contribution here. I did want to get your take though on why someone might want to configure these through the Bitlocker resource rather than using GPO, or Registry DSC resources? Specifically with the latter, I'm thinking that if you already know you need to use one or more of these registry keys, than you would probably be comfortable using a straight up Registry resource too.

@fullenw1
Copy link
Author

Hi Mike,

I had recently a similar discussion with Raimund... :)

I try to use one tool and one method if possible, meaning if I configure servers with DSC, I will configure everything with it (if possible) instead of using GPO.
Using GPO and DSC makes it more difficult to troubleshoot, especially if you use some native GPO, some GPO registry objects, some DSC resources and some DSC registry resources...

Ok then only DSC, but why not registry values?

  • DSC resources are easier to use. Most of the time you just have to type Get-DscResource -Syntax and it's easy to understand (enabled|disabled or true|false)
  • With registry values, you must find a document which gives you the data type (DWord, String, ExpandString, MultiString) and the meaning of the value (is it 1 or 0? |What does 2 and 3 mean when they exist?).
  • When you have a look at a DSC data file, everything is organized by Module/Resource/Property (at least this is how I do with my DSC configurations). On the other hand, when you use a lot of registry values (it takes 4 lines for each value instead of 1 line for a property), your have values for all kind of settings and it's difficult to see what's going on (currently I am already using 33 registry values because equivalent DSC resources don't exist).

Furthermore, I thought that one day DSC would catch up most of GPO settings and we could use only DSC resources ton configure servers.

However, like I said to Raimund, I am pretty new to DSC and maybe my vision of DSC is wrong...

Unfortunately, I am currently not able to write the xBitlocker resource myself. I first have to write a few custom resources myself before I can contribute to a DSC project. Thus what I provided above is my best contribution for the moment...
I completely understand if there is a problem of human resources and if there are more important priorities than adding those properties to the module. So I won't mind if you postpone or even close this issue. :-)

@mhendric
Copy link
Contributor

Hi Luc,
I'm not opposed to this addition, but it definitely seems like it may be a decent amount of work (maybe not tough, but tedious) to implement all these keys, especially for something that has other ways to accomplish right now. I'll leave this as an "Enhancement" and "Help Wanted", in case someone does want to implement this. Or in case others would like to discuss too.

@mhendric mhendric added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Sep 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhendric @fullenw1