Article ID: 947249 - View products that this article applies to.
In Windows Vista, Windows Server 2008, Windows 7 and in Windows Server 2008 R2, the key derivation algorithm used with the recovery password for Windows BitLocker Drive Encryption is not Federal Information Processing Standards (FIPS)-compliant. Therefore, you may encounter the following issues when the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is enabled.
Issue 1When you manually add a recovery password at a command prompt, you receive the following error message:
The numerical password was not added. The FIPS Group Policy setting on the computer prevents recovery password creation.
Issue 2When you try to encrypt a drive on which BitLocker recovery passwords are required, you cannot encrypt the drive as expected. Additionally, you receive the following error message:
Cannot Encrypt Disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.
Issue 3When you encrypt a drive, a recovery key is created, but no recovery password is created as a key protector.
Issue 4A recovery password is not archived in the Active Directory directory service.
A BitLocker recovery password has 48 digits. This password is used in a key derivation algorithm that is not FIPS-compliant. Therefore, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, you cannot create or unlock a drive by using a recovery password. In contrast, a BitLocker recovery key is an AES key that does not require a key derivation algorithm to be performed upon it and is FIPS-compliant. Therefore, a recovery key is not affected by this Group Policy setting.
To disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, follow these steps:
Article ID: 947249 - Last Review: August 7, 2012 - Revision: 1.4
Contact us for more help