Provide the unique identifiers for your organization

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the Manage-BDE command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field.

The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.

You can configure the identification fields on existing drives by using manage-BDE.exe.

If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization.

When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.

If you disable or do not configure this policy setting, the identification field is not required.

Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

Supported on: At least Windows 7
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\FVE
Value NameIdentificationField
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

BitLocker identification field:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\FVE
Value NameIdentificationFieldString
Value TypeREG_SZ
Default Value
Allowed BitLocker identification field:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Microsoft\FVE
Value NameSecondaryIdentificationField
Value TypeREG_SZ
Default Value

bitlockermanagement.admx

Administrative Templates (Computers)

Administrative Templates (Users)