If you select 'Backup recovery password only', only the recovery password is stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select 'Backup recovery password and key package', both the BitLocker recovery password and key package are stored in AD DS. In 'Save BitLocker recovery information to Active Directory Domain Services' choose which BitLocker recovery information to store in AD DS for fixed data drives. This means that you will not be able to specify which recovery option to use when you enable BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Select 'Omit recovery options from the BitLocker setup wizard' to prevent users from specifying recovery options when they enable BitLocker on a drive. In 'Configure user storage of BitLocker recovery information' select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding Data Recovery Agents. Before a Data Recovery Agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. The 'Allow data recovery agent' check box is used to specify whether a Data Recovery Agent can be used with BitLocker-protected fixed data drives. This policy setting is applied when you turn on BitLocker. Information This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.
0 kommentar(er)
