Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

Supported OS tags: WindowsServer2008, WindowsVista

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key. If you enable this policy setting, you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder. If you disable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to store recovery options. Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker recovery information. Note: The 48-digit recovery password will not be available in FIPS-compliance mode. Important: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)" policy setting to prevent a policy error.

No explicit registry values are set for enabled or disabled states.

• Computer
  Choose default folder for recovery password

  At least Windows Vista
• Computer
  Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

  At least Windows Server 2016, Windows 10
• Computer
  Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

  Windows Server 2008, Windows 7, and Windows Vista
• Computer
  Disable new DMA devices when this computer is locked

  At least Windows Server 2016, Windows 10 Version 1703
• Computer
  Prevent memory overwrite on restart

  Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008, Windows 7, and Windows Vista
• Computer
  Provide the unique identifiers for your organization

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)

  Windows Server 2008 and Windows Vista
• Computer
  Validate smart card certificate usage rule compliance

  At least Windows Server 2008 R2 or Windows 7