@@ -479,7 +479,7 @@ This policy controls how non-TPM based systems utilize the password protector. U
Conflicts |
Passwords cannot be used if FIPS-compliance is enabled.
- NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
+ NoteThe System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, specifies whether FIPS-compliance is enabled.
@@ -499,22 +499,22 @@ This policy controls how non-TPM based systems utilize the password protector. U
**Reference**
-If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
+If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled.
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate the adherence of the complexity to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:
- Allow password complexity
-- Do not allow password complexity
+- Deny password complexity
- Require password complexity
### Require additional authentication at startup (Windows Server 2008 and Windows Vista)
-This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
+This policy setting is used to determine the unlock options that would be made available for computers running Windows Server 2008 or Windows Vista.
@@ -540,7 +540,7 @@ This policy setting is used to control what unlock options are available for com
Conflicts |
-If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
+If you choose to make an additional authentication method mandatory, other authentication methods cannot be allowed. |
When enabled |
@@ -555,7 +555,7 @@ This policy setting is used to control what unlock options are available for com
Reference
-On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
+On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits.
A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
@@ -608,7 +608,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
+Smart cards can be used to authenticate user access to the drive. You can make smart card authentication mandatory by selecting the Require use of smart cards on fixed data drives check box. |
When disabled |
@@ -623,7 +623,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
Reference
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
+>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive which is done by using any of the protectors that are available on the drive.
### Configure use of passwords on fixed data drives
@@ -657,7 +657,7 @@ This policy setting is used to require, allow, or deny the use of passwords with
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
+Users can configure a password that meets the requirements you define. To make the use of a password mandatory, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
When disabled |
@@ -682,10 +682,10 @@ Passwords must be at least 8 characters. To configure a greater minimum length f
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
+For the complexity requirement setting to be effective, the group policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.
-Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
+Enabling this policy setting requires a connectivity to be established to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time during which they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
>**Important:** Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
@@ -721,7 +721,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
+Smart cards can be used to authenticate user access to the drive. You can make smart card authentication mandatory by selecting the Require use of smart cards on removable data drives check box. |
When disabled or not configured |
@@ -766,11 +766,11 @@ This policy setting is used to require, allow, or deny the use of passwords with
Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
+To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, must also be enabled. |
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
+Users can configure a password that meets the requirements you define. To make the use of a password mandatory, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
When disabled |
@@ -785,14 +785,14 @@ This policy setting is used to require, allow, or deny the use of passwords with
Reference
-If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
+If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at
+**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled.
>**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password.
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password.
When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector.
@@ -804,7 +804,7 @@ For information about this setting, see [System cryptography: Use FIPS-compliant
### Validate smart card certificate usage rule compliance
-This policy setting is used to determine what certificate to use with BitLocker.
+This policy setting is used to determine the certificate that is to be used with BitLocker.
@@ -851,7 +851,7 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific
The default object identifier is 1.3.6.1.4.1.311.67.1.1.
->**Note:** BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+>**Note:** BitLocker does not make it mandatory for a certificate to have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
### Enable use of BitLocker authentication requiring preboot keyboard input on slates
@@ -889,14 +889,14 @@ This policy setting allows users to enable authentication options that require u
When disabled or not configured |
-The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
+The Windows Recovery Environment must be enabled on tablets to support keying in of the BitLocker recovery password. |
Reference
-The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
+The Windows touch keyboard (used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
@@ -910,7 +910,7 @@ If you do not enable this policy setting, the following options in the **Require
### Deny write access to fixed drives not protected by BitLocker
-This policy setting is used to require encryption of fixed drives prior to granting Write access.
+This policy setting is used to make encryption of fixed drives mandatory prior to granting Write access.
@@ -965,7 +965,7 @@ Conflict considerations include:
### Deny write access to removable drives not protected by BitLocker
-This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
+This policy setting is used to make it mandatory for removable drives to be encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
@@ -1118,9 +1118,9 @@ This policy setting is used to control the encryption method and cipher strength
The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
-If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
+If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives, individually.
For fixed and operating system drives, we recommend that you use the XTS-AES algorithm.
-For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later.
+For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511, or later.
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
@@ -1140,7 +1140,7 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
+With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which encryption algorithms BitLocker can use with hardware-based encryption. |
Introduced |
@@ -1164,7 +1164,7 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
When disabled |
-BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
+BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive is encrypted. |
When not configured |
@@ -1219,7 +1219,7 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
When disabled |
-BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
+BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive is encrypted. |
When not configured |
@@ -1230,11 +1230,11 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
Reference
-If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
+If hardware-based encryption is not available, BitLocker software-based encryption is used, instead.
>**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OIDs), for example:
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
@@ -1275,7 +1275,7 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
When disabled |
-BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
+BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive is encrypted. |
When not configured |
@@ -1286,18 +1286,18 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
Reference
-If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
+If hardware-based encryption is not available, BitLocker software-based encryption is used, instead.
>**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OIDs), for example:
- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
### Enforce drive encryption type on fixed data drives
-This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
+This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so that no encryption selection displays to the user.
@@ -1331,14 +1331,14 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
+The BitLocker Setup Wizard asks the users to select the encryption type before they can turn on BitLocker. |
Reference
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
>**Note:** This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
@@ -1346,7 +1346,7 @@ For more information about the tool to manage BitLocker, see [Manage-bde](https:
### Enforce drive encryption type on operating system drives
-This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
+This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so that no encryption selection displays to the user.
@@ -1380,14 +1380,14 @@ This policy controls whether operating system drives utilize Full encryption or
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
+The BitLocker Setup Wizard asks the users to select the encryption type before they can turn on BitLocker. |
Reference
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
>**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
@@ -1395,7 +1395,7 @@ For more information about the tool to manage BitLocker, see [Manage-bde](https:
### Enforce drive encryption type on removable data drives
-This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
+This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so that no encryption selection displays to the user.
@@ -1429,14 +1429,14 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
+The BitLocker Setup Wizard asks the users to select the encryption type before they can turn on BitLocker. |
Reference
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
>**Note:** This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
@@ -1475,7 +1475,7 @@ This policy setting is used to configure recovery methods for operating system d
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
+You can control the methods that are available for users to recover data from BitLocker-protected operating system drives. |
When disabled or not configured |
@@ -1497,7 +1497,7 @@ In **Configure user storage of BitLocker recovery information**, select whether
Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
the drive are determined by the policy setting.
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
|