BitLocker group policy settings

Sophos Central defines some group policy settings automatically, so that administrators don't have to prepare computers for device encryption.

If settings have already been defined by administrators, configured values will not be overwritten.

In the Local Group Policy Editor under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives, you find the following policies:

Policy

Setting

Value set by Sophos Central

Comment

Allow network unlock at startup

Enabled

You can allow a pre-configured BitLocker network unlock to keep working after you have enabled Central Device Encryption.

Require additional authentication at startup

Allow BitLocker without a compatible TPM

Checked

This is set for Windows 8 if no TPM is available, to allow using a password on startup to unlock the system disk.

Require additional authentication at startup

Configure TPM startup PIN

Allow startup PIN with TPM

If the Device Encryption policy setting Require startup authentication is set and the system has a TPM, then this group policy setting will allow protection of the system drive by TPM, with the user also asked for a PIN.

Allow enhanced PINs for startup

n/a

Enabled

This is set to allow using alphanumeric PINs to protect the system drive with TPM. If this can't be set, only digits are allowed.

Configure pre-boot recovery message and URL

Select an option for the pre-boot recovery message

Use default recovery message and URL

This is set to use the Sophos default message and URL.

Configure pre-boot recovery message and URL

Custom recovery message option

Don’t have your recovery key? Contact your IT Helpdesk or go to your Self Service Portal:

https://sophos.com/ssp

Configure pre-boot recovery message and URL

Custom recovery URL option

Configure use of hardware-based encryption for fixed data drives

n/a

Disabled

This is set to enforce software-based encryption. However, if an existing BitLocker group policy setting requires hardware-based encryption, that policy setting is not overridden.

Configure use of hardware-based encryption for operating system drives

n/a

Disabled

This is set to enforce software-based encryption. However, if an existing BitLocker group policy setting requires hardware-based encryption, that policy setting is not overridden.

  • Encryption algorithm to be used: By default, Sophos Central Device Encryption uses AES-256. There is a group policy setting that can be used to select AES-128.
  • PIN/password requirements: There are group policy settings that can be used to set a minimum PIN/password length and to require complex passwords.
  • Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set to require full data encryption, it overrides any Sophos Central policy that allows encryption of used space only.

Some group policy settings may conflict with Sophos Central so that encryption cannot be enabled. In that case, an event is sent to Sophos Central.

  • Smart card required: If a group policy requires a smart card to be used for BitLocker, this is not supported by Sophos Central and generates an error event.
  • Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set to encrypt used space only but Sophos Central policy requires full encryption, this generates an error event.

If you want to encrypt tablet devices (such as the MS Surface Pro) and use startup authentication, you need to enable the following group policy setting:

Enable use of BitLocker authentication requiring preboot keyboard input on slates

For more information, see Encryption does not start on tablet (slate) devices.