Policy
Choose how BitLocker-protected fixed drives can be recovered
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecovery | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
FDVRecoveryPasswordUsageDropDown_Name ID FDVRecoveryPasswordUsageDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryPassword Type REG_DWORD | Options: Allow 48-digit recovery password (2), Require 48-digit recovery password (1), Do not allow 48-digit recovery password (0) |
FDVRecoveryKeyUsageDropDown_Name ID FDVRecoveryKeyUsageDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryKey Type REG_DWORD | Options: Allow 256-bit recovery key (2), Require 256-bit recovery key (1), Do not allow 256-bit recovery key (0) |
Configure storage of BitLocker recovery information to AD DS: ID FDVActiveDirectoryBackupDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore Type REG_DWORD | Options: Backup recovery passwords and key packages (1), Backup recovery passwords only (2) |
Allow data recovery agent ID FDVAllowDRA_Name | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVManageDRA Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Omit recovery options from the BitLocker setup wizard ID FDVHideRecoveryPage_Name | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVHideRecoveryPage Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Save BitLocker recovery information to AD DS for fixed data drives ID FDVActiveDirectoryBackup_Name | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryBackup Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives ID FDVRequireActiveDirectoryBackup_Name | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow access to BitLocker-protected fixed data drives from earlier versions of WindowsAt least Windows Server 2008 R2 or Windows 7 through Windows Server 2022 or Windows 11 Version 22H2
- ComputerConfigure use of hardware-based encryption for fixed data drivesAt least Windows Server 2012 or Windows 8
- ComputerConfigure use of passwords for fixed data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure use of smart cards on fixed data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerDeny write access to fixed drives not protected by BitLockerAt least Windows Server 2008 R2 or Windows 7
- ComputerEnforce drive encryption type on fixed data drivesAt least Windows Server 2012 or Windows 8