Policy

Set the DPAPI backup keys rotation period

Windows 11 25H2

Back to categoryOpen picker

Policy overview

Key metadata and intent for this policy.

ClassComputer
CategorySystem > DPAPI
Supported onAt least Windows Server 2016

Supported OS tags: WindowsServer2016

This policy setting specifies the DPAPI backup keys rotation period. You can use this setting to override the default value of 90 days. Set 0 to disable the DPAPI backup keys rotation. If you enable this policy setting, set the number of days that the system waits before generating a new DPAPI backup key. If you disable or do not configure this policy setting, the default value of 90 days is used.

Internal name
DomainBackupKeyRotationPeriod
Policy ID
1ac8c0cec32b
Elements
1

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ElementTypeRegistry mappingConstraints & behavior
Specify the DPAPI backup keys rotation period in days. Set 0 to disable the DPAPI backup keys rotation.
ID DPAPI_DomainBackupKeyRotationPeriod_Prompt
decimal
HKLM\Software\Policies\Microsoft\Windows\DPAPI\DomainBackupKeyRotationPeriod
Type REG_DWORD
Range: 0 to 18262