Reference Guide

Manage Policies
Save Recovery
Password
because it does not prompt the user when saving recovery
passwords.
Microsoft defines this policy as: This setting provides the
default path that is displayed when the BitLocker drive
encryption setup wizard prompts the user to enter the location
of a folder to save the recovery password.
The text in this policy is translatable.
Encryption
Method and
Cipher
Strength
AES 128 with Diffuser
AES 128 with Diffuser
AES 256 with Diffuser
AES 128
AES 256
This policy specifies the encryption method and cipher
strength used for BitLocker drive encryption. Changing this
policy has no effect if the drive is already encrypted or
encryption is in progress.
Enable
Organizational
Unique
Identifiers
Not Selected
Selected
Not Selected
This policy allows for the association of unique
organizational identifiers to a new drive that is enabled with
BitLocker. These identifiers are stored as the identification
field and allowed identification field. The allowed
identification field is used in combination with the Deny
Write Access to Removable Drives Not Protected by BitLocker
policy to help control the use of removable drives in the
organization.
This policy must be set to Selected to use the policies Set
Organizational Unique Identifiers and Set Allowed
Organizational Unique Identifiers.
Set
Organizational
Unique
Identifiers
Up to 260 characters
The identification field allows you to associate a unique
organizational identifier to BitLocker-
protected drives. This
identifier is automatically added to new BitLocker-protected
drives and can be updated on existing BitLocker-protected
drives using the Manage-BDE command-line tool. An
identification field is required for management of
certificate-based data recovery agents on BitLocker-
protected
drives and for potential updates to the BitLocker To Go
Reader. BitLocker will only manage and update data recovery
agents when the identification field on the drive matches the
value configured in the identification field. In a similar
manner, BitLocker will only update BitLocker To Go Reader when
the identification field on the drive matches the value
configured for the identification field.
To use this policy, Enable Organizational Unique Identifiers
must be set to Selected.
Set Allowed
Organizational
Unique
Identifiers
Up to 260 characters
The allowed identification field is used in combination with
the Deny Write Access to Removable Drives Not Protected by
BitLocker policy to help control the use of removable drives
in the organization. It is a comma separated list of
identification fields from your organization or other external
organizations.
To use this policy, Enable Organizational Unique Identifiers
must be set to Selected.
Prevent Memory
Overwrite on
Restart
Not Selected
Selected
Not Selected
Selected prevents memory from being overwritten on restart.
Preventing memory overwrite may improve restart performance,
but will increase the risk of exposing BitLocker secrets.
When
Not Selected, BitLocker secrets are removed from memory when
the computer restarts.
Enable Smart
Not Selected
Selected
146