Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
PT-PO-WIN-C-Bitlocker Workstation Without PIN
Data collected on: 2-9-2025 09:34:12
General
Details
Domainemea.tpg.ads
OwnerEMEA\silva.12303-adm
Created7-11-2019 16:00:26
Modified9-2-2023 14:50:20
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions28 (AD), 28 (SYSVOL)
Unique ID{797aceec-0be9-43d0-becc-1d12a00c805a}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
ClientsNoEnabledemea.tpg.ads/PT/Systems/Clients

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
EMEA\PT-L-SEC-GPO Workstation Bitloker Without PIN
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
EMEA\Domain AdminsEdit settings, delete, modify securityNo
EMEA\PT-L-SEC-Delegation Modify Group Policy Settings AccessEdit settings, delete, modify securityNo
EMEA\PT-L-SEC-GPO Workstation Bitloker Without PINRead (from Security Filtering)No
EMEA\silva.12303-admEdit settings, delete, modify securityNo
NT AUTHORITY\Authenticated UsersReadNo
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
ROOT\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Windows Components/BitLocker Drive Encryption
PolicySettingComment
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)Enabled
Select the encryption method for operating system drives:XTS-AES 256-bit
Select the encryption method for fixed data drives:XTS-AES 256-bit
Select the encryption method for removable data drives:XTS-AES 256-bit
PolicySettingComment
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)Enabled
Important: To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options below, you must enable backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
Configure 48-digit recovery password:Require recovery password (default)
Configure 256-bit recovery key:Require recovery key (default)
Note: If you do not allow the recovery password and require the recovery key, users cannot turn on BitLocker without saving to USB.
PolicySettingComment
Provide the unique identifiers for your organizationEnabled
BitLocker identification field:TPPT
Allowed BitLocker identification field:TPPT
PolicySettingComment
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)Enabled
Require BitLocker backup to AD DSEnabled
If selected, cannot turn on BitLocker if backup fails (recommended default).
If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried.
Select BitLocker recovery information to store:Recovery passwords and key packages
A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive.
A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords
Key packages may help perform specialized recovery when the disk is damaged or corrupted.
Windows Components/BitLocker Drive Encryption/Fixed Data Drives
PolicySettingComment
Choose how BitLocker-protected fixed drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for fixed data drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drivesDisabled
PolicySettingComment
Configure use of passwords for fixed data drivesEnabled
Require password for fixed data driveDisabled
Configure password complexity for fixed data drives:Allow password complexity
Minimum password length for fixed data drive:12
Note: You must enable the "Password must meet complexity requirements" policy setting for the password complexity setting to take effect.
PolicySettingComment
Deny write access to fixed drives not protected by BitLockerEnabled
Enforce drive encryption type on fixed data drivesEnabled
Select the encryption type:Used Space Only encryption
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Allow enhanced PINs for startupDisabled
Allow Secure Boot for integrity validationEnabled
Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for operating system drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesEnabled
PolicySettingComment
Configure minimum PIN length for startupDisabled
Enforce drive encryption type on operating system drivesEnabled
Select the encryption type: 
PolicySettingComment
Require additional authentication at startupDisabled
Windows Components/BitLocker Drive Encryption/Removable Data Drives
PolicySettingComment
Choose how BitLocker-protected removable drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for removable data drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drivesEnabled
PolicySettingComment
Configure use of passwords for removable data drivesEnabled
Require password for removable data driveDisabled
Configure password complexity for removable data drives:Allow password complexity
Minimum password length for removable data drive:12
Note: You must enable the "Password must meet complexity requirements" policy setting for the password complexity setting to take effect.
PolicySettingComment
Control use of BitLocker on removable drivesEnabled
Allow users to apply BitLocker protection on removable data drivesEnabled
Allow users to suspend and decrypt BitLocker protection on removable data drivesEnabled
Preferences
Windows Settings
Files
File (Target Path: C:\Bin\BitLockerScriptV001.ps1)
BitLockerScriptV001.ps1 (Order: 1)
General
ActionDelete
Properties
Destination fileC:\Bin\BitLockerScriptV001.ps1
Suppress errors on individual file actionsDisabled
Attributes
Read-onlyDisabled
HiddenDisabled
ArchiveEnabled
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
Control Panel Settings
Scheduled Tasks
Scheduled Task (At least Windows 7) (Name: Bitlocker)
Bitlocker (Order: 1)
General
ActionDelete
Task
Name Bitlocker
Author EMEA\rodrigues.1104-adm
Description
Run only when user is logged on InteractiveToken
UserId NT AUTHORITY\System
Run with highest privileges HighestAvailable
Hidden No
Configure for 1.3
Enabled Yes
Actions
1. Start a program
Program/script %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Arguments -ExecutionPolicy Bypass -File "C:\Bin\BitLockerScriptV001.ps1"
Common
Options
Stop processing items on this extension if an error occurs on this itemNo
Apply once and do not reapplyNo
User Configuration (Disabled)
No settings defined.