Category: Windows Server 2008 and Windows Vista

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista. On a computer with a compatible Trusted Platform Module (TPM) two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN). A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM BitLocker-encrypted data is protected solely by the key material on this USB flash drive. If you enable this policy setting the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM. If you disable or do not configure this policy setting the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard no additional startup key or startup PIN can be configured.

This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista. If you enable this policy setting BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker. Note: You might need to set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS backup for BitLocker is available on Microsoft TechNet. BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive’s encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted. If you select the option to “Require BitLocker backup to AD DS” BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup. If you disable or do not configure this policy setting BitLocker recovery information is not backed up to AD DS. Note: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the “Turn on TPM backup to Active Directory Domain Services” policy setting in System -> Trusted Platform Module Services to ensure that TPM information is also backed up.

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key. If you enable this policy setting you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder. If you disable or do not configure this policy setting the BitLocker setup wizard will present users with ways to store recovery options. Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker setup TPM owner information will be saved or printed with the BitLocker recovery information. Note: The 48-digit recovery password will not be available in FIPS-compliance mode. Important: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you do not allow both user recovery options you must enable the “Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)” policy setting to prevent a policy error.