10 BitLocker GPO Best Practices

BitLocker is a full-disk encryption feature included with Windows 10 Pro and Enterprise. It helps protect your data by encrypting the entire drive that Windows is installed on.

If you’re using BitLocker in your organization, you can manage it using Group Policy Objects (GPOs). In this article, we’ll share 10 best practices for using BitLocker GPOs.

1. Enable BitLocker on all drives

If you have BitLocker enabled on only some of your drives, an attacker could easily access the data on the unencrypted drives. By encrypting all drives, you make it much more difficult for an attacker to access any data on the system, even if they manage to bypass BitLocker on one drive.

Enabling BitLocker on all drives also makes it easier to manage your encryption keys. If you have multiple keys for different drives, it can be difficult to keep track of them all. With all drives encrypted with the same key, you only need to worry about managing one key.

2. Use TPM + PIN or USB Key for authentication

If an attacker has physical access to a computer, they can potentially bypass BitLocker’s drive encryption by booting from an alternate operating system or using a hardware attack tool. To mitigate this risk, you should require that users authenticate with a PIN or USB key in addition to the TPM.

This will make it much more difficult for an attacker to gain access to the encrypted data, even if they have physical access to the computer.

3. Require a startup key to unlock the OS drive

If an attacker has physical access to a computer, they can boot from an alternate operating system or live CD and bypass BitLocker entirely. By requiring a startup key, you make it much more difficult for an attacker to access the data on the drive.

The startup key can be stored on a USB drive, which can be kept with the user or in a secure location. If the USB drive is lost or stolen, the data on the drive will still be safe.

4. Configure BitLocker Network Unlock

When a computer is locked, the only way to unlock it is by entering the correct BitLocker recovery key. This can be a problem if the computer is in a remote location and no one has the key.

With BitLocker Network Unlock, you can configure a Group Policy Object (GPO) so that the computer will automatically attempt to unlock itself using a network key when it’s turned on.

To do this, you’ll need to create a new GPO and edit the “Network Unlock” settings. Then, you’ll need to add the network keys that you want the computers to use for unlocking.

You can find more information about configuring BitLocker Network Unlock in the Microsoft documentation.

5. Encrypt used disk space only

If you encrypt the entire drive, BitLocker has to decrypt and re-encrypt the entire drive any time a change is made. This process can take a long time, and if you have a lot of data, it can cause performance issues.

Encrypting used disk space only means that BitLocker only encrypts the part of the drive that contains data. This way, when changes are made, BitLocker only has to encrypt the changed data, which is much faster.

To encrypt used disk space only, open the BitLocker Drive Encryption control panel, click on “Turn On BitLocker” for the drive you want to encrypt, and select “Used disk space only (faster and best for new PCs and drives)” under “How do you want to store your recovery key?”

6. Set up automatic encryption of fixed data drives

If a computer is lost or stolen, the data on its drives is vulnerable to theft. BitLocker helps protect that data by encrypting it, making it unreadable without the proper encryption key.

By setting up automatic encryption of fixed data drives, you can help ensure that all the data on those drives is always encrypted, even if someone forgets to turn on BitLocker manually. This can help prevent data breaches and protect your organization’s sensitive information.

7. Configure BitLocker to store recovery keys in AD DS

If a user forgets their BitLocker PIN or password, the only way to recover access to their device is by using the recovery key. If the recovery keys are not stored in AD DS, then the only way to get the key is to contact the user directly, which can be time-consuming and may not even be possible if the user is unavailable.

Storing the recovery keys in AD DS means that they can be retrieved quickly and easily by the IT department, without having to rely on the user. This is a much more efficient way of managing BitLocker, and it reduces the chances of data being lost if a user forgets their PIN or password.

8. Allow users to backup their recovery key

If a user forgets their BitLocker password, the only way to recover their data is by using the recovery key. If the recovery key is not backed up, the user will lose access to their data forever.

Allowing users to backup their recovery key ensures that they can always recover their data if they forget their password. It’s a simple best practice, but it’s one that can save a lot of headaches down the road.

9. Enforce strong passwords and password complexity requirements

If an attacker has physical access to a computer, they can try to brute force the password and unlock the drive. To make it more difficult for attackers, you should enforce strong passwords that are at least 16 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters. You should also enable password complexity requirements, which will prevent users from setting simple passwords such as “password” or “123456”.

10. Prevent unauthorized changes to BitLocker settings

The whole point of BitLocker is to prevent unauthorized access to data, so it stands to reason that you would want to prevent unauthorized changes to the settings that control how BitLocker works.

Unfortunately, there are a number of ways that an attacker could change the BitLocker settings without your knowledge, and if they’re able to do so, they may be able to bypass the security measures that BitLocker is designed to provide.

For this reason, it’s important to use Group Policy to lock down the BitLocker settings, and to make sure that only authorized users have the ability to change those settings.