dsccommunity
Implement general Bitlocker configuration capability
Description
Currently with this module we can encrypt drives. However Bitlocker has also a general configuration which can be set with GPO under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption or with registry values under the HKLM:\SOFTWARE\Policies\Microsoft\FVE key.
According to the official document Group Policy Settings Reference Spreadsheet Windows 1809, below are the values which can be implemented.
Registry value data
Unfortunately I could not find an official Microsoft document describing the type (String, DWord, ...) and the data for each registry value.
However, I already gathered the information from here: https://getadmx.com/HKLM/SOFTWARE/Policies/Microsoft/FVE
Proposed properties
Store BitLocker recovery information in Active Directory Domain Services
HKLM\Software\Policies\Microsoft\FVE\ActiveDirectoryBackup Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\RequireActiveDirectoryBackup Dword 0|1 False|True
HKLM\Software\Policies\Microsoft\FVE\ActiveDirectoryInfoToStore Dword 1|2 Recovery passwords and key packages|Recovery passwords only
Choose how users can recover BitLocker-protected drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseRecoveryPassword Dword 0|1 Do not allow recovery password|Require recovery password
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseRecoveryDrive Dword 0|1 Do not allow recovery key|Require recovery key
Choose default folder for recovery password
HKLM\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath ExpandString Specify a fully qualified path or include the computer's environment variables in the path. For example, enter "\server\backupfolder", or "%SecureDriveEnvironmentVariable%\backupfolder"
Choose drive encryption method and cipher strength
HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod DWord 1|2|3|4 AES 128-bit with Diffuser|AES 256-bit with Diffuser|AES 128-bit|AES 256-bit
Choose drive encryption method and cipher strength
HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodNoDiffuser DWord 3|4 AES 128-bit|AES 256-bit
Choose drive encryption method and cipher strength
HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsOs DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit
HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsFdv DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit
HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsRdv DWord 3|4|6|7 AES-CBC 128-bit|AES-CBC 256-bit|XTS-AES 128-bit|XTS-AES 256-bit
Prevent memory overwrite on restart
HKLM\Software\Policies\Microsoft\FVE\MorBehavior Dword 0|1 Disabled|Enabled
Disable new DMA devices when this computer is locked
HKLM\Software\Policies\Microsoft\FVE\DisableExternalDMAUnderLock Dword 0|1 Disabled|Enabled
Configure pre-boot recovery message and URL
HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyMessageSource DWord 0|1|2|3 Disabled|Use default recovery message and URL|Use custom recovery message|Use custom recovery URL
HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyMessage String
HKLM\Software\Policies\Microsoft\FVE\RecoveryKeyUrl String
Allow enhanced PINs for startup
HKLM\Software\Policies\Microsoft\FVE\UseEnhancedPin Dword 0|1 Disabled|Enabled
Configure use of passwords for operating system drives
HKLM\Software\Policies\Microsoft\FVE\OSPassphrase Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\OSPassphraseComplexity DWord 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity
HKLM\Software\Policies\Microsoft\FVE\OSPassphraseLength DWord 8-255 Min 8|Max 255
HKLM\Software\Policies\Microsoft\FVE\OSPassphraseASCIIOnly Dword 0|1 False|True
Reset platform validation data after BitLocker recovery
HKLM\Software\Policies\Microsoft\FVE\TPMAutoReseal Dword 0|1 Disabled|Enabled
Disallow standard users from changing the PIN or password
HKLM\Software\Policies\Microsoft\FVE\DisallowStandardUserPINReset Dword 0|1 Disabled|Enabled
Provide the unique identifiers for your organization
HKLM\Software\Policies\Microsoft\FVE\IdentificationField Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\IdentificationFieldString String
HKLM\Software\Policies\Microsoft\FVE\SecondaryIdentificationField String
Validate smart card certificate usage rule compliance
HKLM\Software\Policies\Microsoft\FVE\CertificateOID String
Use enhanced Boot Configuration Data validation profile
HKLM\Software\Policies\Microsoft\FVE\OSUseEnhancedBcdProfile Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalSecurityCriticalSettings MultiString
HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalExcludedSettings MultiString
Choose how BitLocker-protected operating system drives can be recovered
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecovery Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryPassword DWord 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryKey DWord 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSHideRecoveryPage Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRequireActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryInfoToStore DWord 1|2 Store recovery passwords and key packages|Store recovery passwords only
Enforce drive encryption type on operating system drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEncryptionType Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEncryptionType Dword 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption
Require additional authentication at startup
HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey Dword 0|1|2 Do not allow startup key with TPM|Require startup key with TPM|Allow startup key with TPM
HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN Dword 0|1|2 Do not allow startup PIN with TPM|Require startup PIN with TPM|Allow startup PIN with TPM
Require additional authentication at startup
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey Dword 0|1|2 Do not allow startup key with TPM|Require startup key with TPM|Allow startup key with TPM
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN Dword 0|1|2 Do not allow startup PIN with TPM|Require startup PIN with TPM|Allow startup PIN with TPM
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN Dword 0|1|2 Do not allow startup key and PIN with TPM|Require startup key and PIN with TPM|Allow startup key and PIN with TPM
HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPM Dword 0|1|2 Do not allow TPM|Require TPM|Allow TPM
Allow network unlock at startup
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSManageNKP Dword 0|1 Disabled|Enabled
Configure TPM platform validation profile
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\Enabled HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\0 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\1 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\2 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\3 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\4 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\5 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\6 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\7 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\8 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\9 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\10 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\11 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\12 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\13 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\14 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\15 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\16 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\17 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\18 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\19 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\20 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\21 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\22 HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\23
Configure TPM platform validation profile for BIOS-based firmware configurations
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\Enabled HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\0 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\1 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\2 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\3 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\4 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\5 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\6 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\7 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\8 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\9 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\10 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\11 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\12 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\13 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\14 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\15 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\16 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\17 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\18 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\19 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\20 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\21 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\22 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\23
Configure TPM platform validation profile for native UEFI firmware configurations
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\Enabled HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\0 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\1 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\2 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\3 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\4 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\5 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\6 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\7 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\8 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\9 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\10 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\11 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\12 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\13 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\14 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\15 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\16 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\17 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\18 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\19 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\20 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\21 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\22 HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI\23
Configure minimum PIN length for startup
HKLM\Software\Policies\Microsoft\FVE\MinimumPIN DWord 4-20 Min 4|Max 20
Configure use of hardware-based encryption for operating system drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSHardwareEncryption Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSAllowSoftwareEncryptionFailover Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSRestrictHardwareEncryptionAlgorithms Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSAllowedHardwareEncryptionAlgorithms ExpandString
Enable use of BitLocker authentication requiring preboot keyboard input on slates
HKLM\Software\Policies\Microsoft\FVE\OSEnablePrebootInputProtectorsOnSlates Dword 0|1 Disabled|Enabled
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
HKLM\Software\Policies\Microsoft\FVE\OSEnablePreBootPinExceptionOnDECapableDevice Dword 0|1 Disabled|Enabled
Allow Secure Boot for integrity validation
HKLM\Software\Policies\Microsoft\FVE\OSAllowSecureBootForIntegrity Dword 0|1 Disabled|Enabled
Choose how BitLocker-protected fixed drives can be recovered
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecovery Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryPassword Dword 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryKey Dword 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVManageDRA Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVHideRecoveryPage Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore Dword 1|2 Backup recovery passwords and key packages|Backup recovery passwords only
Configure use of passwords for fixed data drives
HKLM\Software\Policies\Microsoft\FVE\FDVPassphrase Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\FDVEnforcePassphrase Dword 0|1 False|True
HKLM\Software\Policies\Microsoft\FVE\FDVPassphraseComplexity Dword 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity
HKLM\Software\Policies\Microsoft\FVE\FDVPassphraseLength DWord 8-99 Min 8|Max 99
Deny write access to fixed drives not protected by BitLocker
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess Dword 0|1 Disabled|Enabled
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
HKLM\Software\Policies\Microsoft\FVE\FDVDiscoveryVolumeType String <Null>|FAT32 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\FDVNoBitLockerToGoReader Dword 0|1 False|True
Configure use of smart cards on fixed data drives
HKLM\Software\Policies\Microsoft\FVE\FDVAllowUserCert Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\FDVEnforceUserCert Dword 0|1 False|True
Enforce drive encryption type on fixed data drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVEncryptionType Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVEncryptionType DWord 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption
Configure use of hardware-based encryption for fixed data drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVHardwareEncryption Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVAllowSoftwareEncryptionFailover Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRestrictHardwareEncryptionAlgorithms Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVAllowedHardwareEncryptionAlgorithms ExpandString
Choose how BitLocker-protected removable drives can be recovered
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecovery Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryPassword DWord 0|1|2 Do not allow 48-digit recovery password|Require 48-digit recovery password|Allow 48-digit recovery password
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryKey DWord 0|1|2 Do not allow 256-bit recovery key|Require 256-bit recovery key|Allow 256-bit recovery key
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVManageDRA Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVHideRecoveryPage Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRequireActiveDirectoryBackup Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryInfoToStore Dword 1|2 Backup recovery passwords and key packages|Backup recovery passwords only
Control use of BitLocker on removable drives
HKLM\Software\Policies\Microsoft\FVE\RDVConfigureBDE Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\RDVAllowBDE Dword 0|1 False|True
HKLM\Software\Policies\Microsoft\FVE\RDVDisableBDE Dword 0|1 False|True
**Configure use of passwords for removable data drives
HKLM\Software\Policies\Microsoft\FVE\RDVPassphrase Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\RDVEnforcePassphrase Dword 0|1 False|True
HKLM\Software\Policies\Microsoft\FVE\RDVPassphraseComplexity DWord 0|1|2 Do not allow password complexity|Require password complexity|Allow password complexity
HKLM\Software\Policies\Microsoft\FVE\RDVPassphraseLength DWord 8-99 Min 8|Max 99
Deny write access to removable drives not protected by BitLocker
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess Dword 0|1 False|True
HKLM\Software\Policies\Microsoft\FVE\RDVDenyCrossOrg Dword 0|1 False|True
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
HKLM\Software\Policies\Microsoft\FVE\RDVDiscoveryVolumeType String <Null>|FAT32 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\RDVNoBitLockerToGoReader Dword 0|1 False|True
Configure use of smart cards on removable data drives
HKLM\Software\Policies\Microsoft\FVE\RDVAllowUserCert Dword 0|1 Disabled|Enabled
HKLM\Software\Policies\Microsoft\FVE\RDVEnforceUserCert Dword 0|1 False|True
Enforce drive encryption type on removable data drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVEncryptionType Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVEncryptionType DWord 0|1|2 Allow user to choose|Full encryption|Used Space Only encryption
Configure use of hardware-based encryption for removable data drives
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVHardwareEncryption Dword 0|1 Disabled|Enabled
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowSoftwareEncryptionFailover Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRestrictHardwareEncryptionAlgorithms Dword 0|1 False|True
HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowedHardwareEncryptionAlgorithms ExpandString
Hi @fullenw1 , thanks for the big contribution here. I did want to get your take though on why someone might want to configure these through the Bitlocker resource rather than using GPO, or Registry DSC resources? Specifically with the latter, I'm thinking that if you already know you need to use one or more of these registry keys, than you would probably be comfortable using a straight up Registry resource too.
Hi Mike,
I had recently a similar discussion with Raimund... :)
I try to use one tool and one method if possible, meaning if I configure servers with DSC, I will configure everything with it (if possible) instead of using GPO. Using GPO and DSC makes it more difficult to troubleshoot, especially if you use some native GPO, some GPO registry objects, some DSC resources and some DSC registry resources...
Ok then only DSC, but why not registry values?
- DSC resources are easier to use. Most of the time you just have to type Get-DscResource -Syntax and it's easy to understand (enabled|disabled or true|false)
- With registry values, you must find a document which gives you the data type (DWord, String, ExpandString, MultiString) and the meaning of the value (is it 1 or 0? |What does 2 and 3 mean when they exist?).
- When you have a look at a DSC data file, everything is organized by Module/Resource/Property (at least this is how I do with my DSC configurations). On the other hand, when you use a lot of registry values (it takes 4 lines for each value instead of 1 line for a property), your have values for all kind of settings and it's difficult to see what's going on (currently I am already using 33 registry values because equivalent DSC resources don't exist).
Furthermore, I thought that one day DSC would catch up most of GPO settings and we could use only DSC resources ton configure servers.
However, like I said to Raimund, I am pretty new to DSC and maybe my vision of DSC is wrong...
Unfortunately, I am currently not able to write the xBitlocker resource myself. I first have to write a few custom resources myself before I can contribute to a DSC project. Thus what I provided above is my best contribution for the moment... I completely understand if there is a problem of human resources and if there are more important priorities than adding those properties to the module. So I won't mind if you postpone or even close this issue. :-)
Hi Luc, I'm not opposed to this addition, but it definitely seems like it may be a decent amount of work (maybe not tough, but tedious) to implement all these keys, especially for something that has other ways to accomplish right now. I'll leave this as an "Enhancement" and "Help Wanted", in case someone does want to implement this. Or in case others would like to discuss too.