Skip to content

BitLocker group policy settings

Sophos Central Device Encryption automatically defines group policy settings, so you don't have to prepare computers for device encryption.

Sophos Central Device Encryption doesn't overwrite settings you already made in the Local Group Policy Editor under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

Note

The Local Group Policy Editor doesn't show the settings configured by Sophos Central Device Encryption. You can find these settings in the Windows registry under the node HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

See the following table for details about the settings you can configure in the Local Group Policy Editor.

Policy Setting Value set by Sophos Central Comment
Allow network unlock at startup Enabled You can allow a pre-configured BitLocker network unlock to keep working after you have enabled Central Device Encryption.
Require additional authentication at startup Allow BitLocker without a compatible TPM Checked This is set for Windows 8 if no TPM is available, to allow using a password on startup to unlock the system disk.
Require additional authentication at startup Configure TPM startup PIN Allow startup PIN with TPM If the Device Encryption policy setting Require startup authentication is set and the system has a TPM, then this group policy setting will allow protection of the system drive by TPM, with the user also asked for a PIN.
Allow enhanced PINs for startup n/a Enabled This is set to allow using alphanumeric PINs to protect the system drive with TPM. If this can't be set, only digits are allowed.
Configure pre-boot recovery message and URL Select an option for the pre-boot recovery message Use default recovery message and URL This is set to use the Sophos default message and URL.
Configure pre-boot recovery message and URL Custom recovery message option Don’t have your recovery key? Contact your IT Helpdesk or go to your Self Service Portal: https://sophos.com/ssp
Configure pre-boot recovery message and URL Custom recovery URL option
Configure use of hardware-based encryption for fixed data drives n/a Disabled This is set to enforce software-based encryption. However, if an existing BitLocker group policy setting requires hardware-based encryption, that policy setting is not overridden.
Configure use of hardware-based encryption for operating system drives n/a Disabled This is set to enforce software-based encryption. However, if an existing BitLocker group policy setting requires hardware-based encryption, that policy setting is not overridden.
  • Encryption algorithm to be used: By default, Sophos Central Device Encryption uses AES-256. There is a group policy setting that can be used to select AES-128.
  • PIN/password requirements: There are group policy settings that can be used to set a minimum PIN/password length and to require complex passwords.
  • Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set to require full data encryption, it overrides any Sophos Central policy that allows encryption of used space only.

Some group policy settings may conflict with Sophos Central so that encryption cannot be enabled. In that case, an event is sent to Sophos Central.

  • Smart card required: If a group policy requires a smart card to be used for BitLocker, this is not supported by Sophos Central and generates an error event.
  • Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set to encrypt used space only but Sophos Central policy requires full encryption, this generates an error event.

If you want to encrypt tablet devices (such as the MS Surface Pro) and use startup authentication, you need to enable the Enable use of BitLocker authentication requiring preboot keyboard input on slates group policy setting. See Encryption does not start on tablet (slate) devices.

For details on group policy settings, see BitLocker Group Policy Settings and TPM Group Policy Settings.