Provide the unique identifiers for your organization

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field. The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using manage-bde.exe. If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization. If you disable or do not configure this policy setting, the identification field is not required. Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

• Computer
  Choose default folder for recovery password

  At least Windows Vista
• Computer
  Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

  At least Windows Server 2016, Windows 10
• Computer
  Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

  Windows Server 2008, Windows 7, and Windows Vista
• Computer
  Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)

  Windows Server 2008 and Windows Vista
• Computer
  Disable new DMA devices when this computer is locked

  At least Windows Server 2016, Windows 10 Version 1703
• Computer
  Prevent memory overwrite on restart

  Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008, Windows 7, and Windows Vista
• Computer
  Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)

  Windows Server 2008 and Windows Vista
• Computer
  Validate smart card certificate usage rule compliance

  At least Windows Server 2008 R2 or Windows 7