| Administrative Templates |
| Operating System Drives |
| Enforce drive encryption type on operating system drives | Enabled |
| Select the encryption type: (Device) | Full encryption |
| Require additional authentication at startup | Enabled |
| Configure TPM startup key and PIN: | Do not allow startup key and PIN with TPM |
| Configure TPM startup PIN: | Do not allow startup PIN with TPM |
| Configure TPM startup: | Require TPM |
| Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) | False |
| Configure TPM startup key: | Do not allow startup key with TPM |
| Disallow standard users from changing the PIN or password | Enabled |
| Choose how BitLocker-protected operating system drives can be recovered | Enabled |
| Omit recovery options from the BitLocker setup wizard | True |
| Allow data recovery agent | False |
| Configure storage of BitLocker recovery information to AD DS: | Store recovery passwords and key packages |
| Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | True |
| Save BitLocker recovery information to AD DS for operating system drives | True |
| Configure user storage of BitLocker recovery information: | Require 48-digit recovery password |
| Do not allow 256-bit recovery key |
| BitLocker Drive Encryption |
| Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | Enabled |
| Select the encryption method for removable data drives: | AES-CBC 256-bit |
| Select the encryption method for fixed data drives: | XTS-AES 256-bit |
| Select the encryption method for operating system drives: | XTS-AES 256-bit |
| BitLocker |
| Require Device Encryption | Enabled |
| Allow Warning For Other Disk Encryption | Disabled |
| Allow Standard User Encryption | Enabled |
| Configure Recovery Password Rotation | Refresh on for Entra ID-joined devices |