Tuesday, October 28, 2014

BitLocker Policies for TechEd Europe 2014 in Barcelona!

I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!
Download BitLocker-policy

If you want to get the promised TPM Flowchart as well you should enroll to my free newsletter at:


  1. Hello Sami, it was great session, but I have some additional questions to it, could you please reply?

    1. You have mentioned, that for W8.1 with SecureBoot you recommend using Bitlocker TPM + NO PIN. But also with enabled Secureboot I am still able to boot minilinux from USB – so I can read the content of freezed memory. Or did you have something other in mind when you were describing this cold boot attack, which was not possible to proceed with SecureBoot?

    2. You have also recommended to enable hibernation on close lid action via GPO, but when I will follow recommendation W8.1 – Secureboot and NO PIN -> is hibernation really needed?

  2. Hi Peter,

    SecureBoot can block you from booting minilinux. Can you please provide me more specific examples if you can do it. SecureBoot does allow you to change the trusted certificates so your SecureBoot can By default be a bit more trusting than mine of course. But this can be changed,

    I'd say that you don't need to use the hibarnate if you don't have or can block the DMA bus and follow all the other recommendations.

    1. Hi Sami,

      now I believe, that I see your point... So you mean, that I should sign Windows bootloader by my certificate and just this certificate set in Bios as trusted? Or set just Microsoft certificate as trusted?

      Thank you

  3. I'm rather saying that you can get rid of extra trusted certs. SecureBoot uses a multi-level trust hierarchy that can be altered in many ways.