DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 947249 - Last Review: August 7, 2012 - Revision: 1.4

On This Page

INTRODUCTION

In Windows Vista, Windows Server 2008, Windows 7 and in Windows Server 2008 R2, the key derivation algorithm used with the recovery password for Windows BitLocker Drive Encryption is not Federal Information Processing Standards (FIPS)-compliant. Therefore, you may encounter the following issues when the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting is enabled.

Issue 1

When you manually add a recovery password at a command prompt, you receive the following error message:
The numerical password was not added. The FIPS Group Policy setting on the computer prevents recovery password creation.

Issue 2

When you try to encrypt a drive on which BitLocker recovery passwords are required, you cannot encrypt the drive as expected. Additionally, you receive the following error message:
Cannot Encrypt Disk. Policy requires a password which is not allowed with the current security policy about use of FIPS algorithms.

Issue 3

When you encrypt a drive, a recovery key is created, but no recovery password is created as a key protector.

Issue 4

A recovery password is not archived in the Active Directory directory service.

More information

A BitLocker recovery password has 48 digits. This password is used in a key derivation algorithm that is not FIPS-compliant. Therefore, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, you cannot create or unlock a drive by using a recovery password. In contrast, a BitLocker recovery key is an AES key that does not require a key derivation algorithm to be performed upon it and is FIPS-compliant. Therefore, a recovery key is not affected by this Group Policy setting.

To disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, follow these steps:
  1. Click Start, type gpedit.msc in the Start Search box, and then click OK.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  3. In the details pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, click Disable, and then, click OK.

    Note This Group Policy setting may be configured by an administrator to be automatically applied from a domain controller. In this situation, you cannot disable this setting locally.

Applies to
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 for Itanium-Based Systems
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 for Itanium-Based Systems
Keywords: 
kbexpertiseadvanced kbinfo KB947249
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support