The recovery password for Windows BitLocker is not available when FIPS compliant policy is set in Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

Article translations Article translations
Article ID: 947249 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

In Windows Vista, Windows Server 2008, Windows 7 and in Windows Server 2008 R2, the key derivation algorithm used with the recovery password for Windows BitLocker Drive Encryption is not Federal Information Processing Standards (FIPS)-compliant. Therefore, you may encounter the following issues when the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is enabled.

Issue 1

When you manually add a recovery password at a command prompt, you receive the following error message:
The numerical password was not added. The FIPS Group Policy setting on the computer prevents recovery password creation.

Issue 2

When you try to encrypt a drive on which BitLocker recovery passwords are required, you cannot encrypt the drive as expected. Additionally, you receive the following error message:
Cannot Encrypt Disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.

Issue 3

When you encrypt a drive, a recovery key is created, but no recovery password is created as a key protector.

Issue 4

A recovery password is not archived in the Active Directory directory service.

More information

A BitLocker recovery password has 48 digits. This password is used in a key derivation algorithm that is not FIPS-compliant. Therefore, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, you cannot create or unlock a drive by using a recovery password. In contrast, a BitLocker recovery key is an AES key that does not require a key derivation algorithm to be performed upon it and is FIPS-compliant. Therefore, a recovery key is not affected by this Group Policy setting.

To disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, follow these steps:
  1. Click Start, type gpedit.msc in the Start Search box, and then click OK.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  3. In the details pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Disable, and then, click OK.

    Note This Group Policy setting may be configured by an administrator to be automatically applied from a domain controller. In this situation, you cannot disable this setting locally.

Properties

Article ID: 947249 - Last Review: August 7, 2012 - Revision: 1.4
Applies to
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 for Itanium-Based Systems
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 for Itanium-Based Systems
Keywords: 
kbexpertiseadvanced kbinfo KB947249

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com