Location: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption
Supported on: Windows Vista and Windows Server 2008
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
If you enable this policy setting, BitLocker recovery information will be automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.
Note: You must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about setting up AD DS backup for BitLocker.
BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.
If you select the option to "Require BitLocker backup to AD DS" BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup.
If you disable or do not configure this policy setting, BitLocker recovery information will not be backed up to AD DS.
Note: Trusted Platform Module (TPM) initialization may be needed during BitLocker setup. Enable the "Turn on TPM backup to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information is also backed up.
Tuesday, May 10, 2011
Group Policy: Timeout for fast user switching events
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting specifies the number of seconds a pending fast-user switch event will remain active before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive.
If you enable this policy setting, you can configure the fast user switch event timeout to specify the number of seconds the event remains active. This value cannot exceed 60 seconds.
If you disable or do not configure this policy setting, the default value of 10 seconds will be used for fast-user switch event timeouts.
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting specifies the number of seconds a pending fast-user switch event will remain active before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive.
If you enable this policy setting, you can configure the fast user switch event timeout to specify the number of seconds the event remains active. This value cannot exceed 60 seconds.
If you disable or do not configure this policy setting, the default value of 10 seconds will be used for fast-user switch event timeouts.
Group Policy: Allow domain users to log on using biometrics
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting determines whether domain users can log on or elevate User Account Control (UAC) permissions using biometrics.
By default, domain users cannot use biometrics to log on. If you enable this policy setting, domain users can log on to a Windows-based computer using biometrics. Depending on the biometrics you use, enabling this policy setting can reduce the security of users who use biometrics to log on.
If you disable or do not configure this policy setting, domain users will not be able to log on to a Windows-based computer using biometrics.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting determines whether domain users can log on or elevate User Account Control (UAC) permissions using biometrics.
By default, domain users cannot use biometrics to log on. If you enable this policy setting, domain users can log on to a Windows-based computer using biometrics. Depending on the biometrics you use, enabling this policy setting can reduce the security of users who use biometrics to log on.
If you disable or do not configure this policy setting, domain users will not be able to log on to a Windows-based computer using biometrics.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Group Policy: Allow users to log on using biometrics
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, local users will be able to log on to the local computer, but the "Allow domain users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.
If you enable or do not configure this policy setting, all users can log on to a local Windows-based computer and will be able to elevate permissions with UAC using biometrics.
If you disable this policy setting, biometrics cannot be used by any users to log on to a local Windows-based computer.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Supported on: At least Windows 7 or Windows Server 2008 R2
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, local users will be able to log on to the local computer, but the "Allow domain users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.
If you enable or do not configure this policy setting, all users can log on to a local Windows-based computer and will be able to elevate permissions with UAC using biometrics.
If you disable this policy setting, biometrics cannot be used by any users to log on to a local Windows-based computer.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Group Policy: Allow the use of biometrics
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics
Supported on: At least Windows 7 or Windows Server 2008 R2
If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the "Allow users to log on using biometrics" policy setting.
If you disable this policy setting, the Windows Biometric Service will not be available, and users will be unable to use any biometric features in Windows.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Supported on: At least Windows 7 or Windows Server 2008 R2
If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the "Allow users to log on using biometrics" policy setting.
If you disable this policy setting, the Windows Biometric Service will not be available, and users will be unable to use any biometric features in Windows.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Monday, May 9, 2011
Group Policy: Disallow run-once backups
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Backup > Server
Supported on: At least Windows Vista
This policy setting allows you to manage whether run-once backups of a machine can be run or not.
If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-once backups.
If you disable or do not configure this policy setting, there is no restriction on running run-once backups.
Supported on: At least Windows Vista
This policy setting allows you to manage whether run-once backups of a machine can be run or not.
If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-once backups.
If you disable or do not configure this policy setting, there is no restriction on running run-once backups.
Group Policy: Disallow optical media as backup target
Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Backup > Server
Supported on: At least Windows Vista
This policy setting allows you to manage whether backups of a machine can run to an optical media or not.
If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to an optical media.
If you disable or do not configure this policy setting, there is no restriction on optical media being backup target.
Supported on: At least Windows Vista
This policy setting allows you to manage whether backups of a machine can run to an optical media or not.
If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to an optical media.
If you disable or do not configure this policy setting, there is no restriction on optical media being backup target.
Subscribe to:
Posts (Atom)