change to correct policy

BitLockerPolicies.csv

@@ -5,13 +5,17 @@ Computer Configuration > System > Device Installation > Device Installation Rest
 Computer Configuration > System > Device Installation > Device Installation Restrictions,Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes:,Enabled, ,HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,1,Windows Vista+,Windows Server 2008+,Yes
 Computer Configuration > System > Power Management > Sleep Settings,Allow standby states (S1-S3) when sleeping (on battery),Disabled, ,HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,0,Windows Vista+,Windows Server 2008+,Yes
 Computer Configuration > System > Power Management > Sleep Settings,Allow standby states (S1-S3) when sleeping (plugged in),Disabled, ,HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,0,Windows Vista+,Windows Server 2008+,Yes
-Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista), Enabled, ,HKLM\Software\Policies\Microsoft\FVE,ActiveDirectoryBackup,1,Windows Vista+,Windows Server 2008+,Yes (domain joined systems only)
-Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Require BitLocker backup to AD DS,Enabled, ,HKLM\Software\Policies\Microsoft\FVE,RequireActiveDirectoryBackup,1,Windows Vista+,Windows Server 2008+,Yes (domain joined systems only)
-Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Select BitLocker recovery information to store,Enabled,Recovery passwords only,HKLM\Software\Policies\Microsoft\FVE,RequireActiveDirectoryBackup,1,Windows Vista+,Windows Server 2008+,Yes (domain joined systems only)
+Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Choose how BitLocker-protected operating system drives can be recovered, Enabled, ,HKLM\Software\Policies\Microsoft\FVE,OSRecovery,1,Windows 7+,Windows Server 2008 R2+,Yes (domain joined systems only)
+Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Choose how BitLocker-protected operating system drives can be recovered > Save BitLocker recovery information to AD DS for operating system drives, ,Save BitLocker recovery information to AD DS for operating system drives,HKLM\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,1,Windows 7+,Windows Server 2008 R2+,Yes (domain joined systems only)
+Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Choose how BitLocker-protected operating system drives can be recovered > Configure storage of BitLocker recovery information to AD DS, ,Store recovery passwords and key packages,HKLM\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,1,Windows 7+,Windows Server 2008 R2+,Yes (domain joined systems only)
+Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Choose how BitLocker-protected operating system drives can be recovered > Do not enable BitLocker until recovery information is stored in AD DS for operating system drives, ,Do not enable BitLocker until recovery information is stored in AD DS for operating system drives,HKLM\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,1,Windows 7+,Windows Server 2008 R2+,Yes (domain joined systems only)
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives,Enabled,XTS-AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,7,Windows 10 1511+,Windows Server 2016+,Yes
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives,Enabled,XTS-AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,7,Windows 10 1511+,Windows Server 2016+,No
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives,Enabled,XTS-AES 256-bit *or* AES-CBC 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,4 *or* 7,Windows 10 1511+,Windows Server 2016+,No
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,"Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) > Select encryption method",Enabled,AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodNoDiffuser,4,Windows 8 - Windows 10 1507,Windows Server 2012 - Windows Server 2012 R2,Yes
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,"Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption method",Enabled,AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethod,2,Windows Vista - Windows 7,Windows Server 2008 - Windows Server 2008 R2,Yes
 Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Disable new DMA devices when this computer is locked,Enabled, ,HKLM\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,1,Windows 10 1703+,N/A,Yes
-Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Allow Secure Boot for integrity validation,Enabled *or* Not Configured, ,HKLM\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity *or* not exist,1 *or* not exist,Windows 8+,Windows Server 2012+,No
+Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives,Allow Secure Boot for integrity validation,Enabled *or* Not Configured, ,HKLM\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity *or* not exist,1 *or* not exist,Windows 8+,Windows Server 2012+,No
+
+Choose how BitLocker-protected operating system drives can be recovered
+Save BitLocker recovery information to AD DS for operating system drives

README.md

@@ -40,11 +40,12 @@ NSA Cybersecurity recommends using the newest BitLocker settings in the Microsof
 | Computer Configuration > System > Device Installation > Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes: | Enabled | | HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | DenyDeviceClassesRetroactive | 1 | Windows Vista+ | Windows Server 2008+ | Yes |
 | Computer Configuration > System > Power Management > Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | | HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | DCSettingIndex | 0 | Windows Vista+ | Windows Server 2008+ | Yes |
 | Computer Configuration > System > Power Management > Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | | HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | ACSettingIndex | 0 | Windows Vista+ | Windows Server 2008+ | Yes |
-| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) | Enabled | | HKLM\Software\Policies\Microsoft\FVE,ActiveDirectoryBackup | 1 | Windows Vista+ | Windows Server 2008+ | Yes (domain joined systems only) |
-| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Require BitLocker backup to AD DS | Enabled | | HKLM\Software\Policies\Microsoft\FVE | RequireActiveDirectoryBackup | 1 | Windows Vista+ | Windows Server 2008+ | Yes (domain joined systems only) |
-| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Select BitLocker recovery information to store | Enabled | Recovery passwords only | HKLM\Software\Policies\Microsoft\FVE | RequireActiveDirectoryBackup | 1 | Windows Vista+ | Windows Server 2008+ | Yes (domain joined systems only) |
-| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsOs  | 7 | Windows 10 1511+ | Windows Server 2016+ | Yes |
-| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsFdv  | 7 | Windows 10 1511+ | Windows Server 2016+  | No |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Choose how BitLocker-protected operating system drives can be recovered |  Enabled |   | HKLM\Software\Policies\Microsoft\FVE | OSRecovery | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes (domain joined systems only) |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Choose how BitLocker-protected operating system drives can be recovered > Save BitLocker recovery information to AD DS for operating system drives | | Save BitLocker recovery information to AD DS for operating system drives | HKLM\Software\Policies\Microsoft\FVE | OSActiveDirectoryBackup | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes (domain joined systems only) |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Choose how BitLocker-protected operating system drives can be recovered > Configure storage of BitLocker recovery information to AD DS | | Store recovery passwords and key packages | HKLM\Software\Policies\Microsoft\FVE | OSActiveDirectoryInfoToStore | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes (domain joined systems only) |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Choose how BitLocker-protected operating system drives can be recovered > Do not enable BitLocker until recovery information is stored in AD DS for operating system drives | | Do not enable BitLocker until recovery information is stored in AD DS for operating system drives | HKLM\Software\Policies\Microsoft\FVE | OSRequireActiveDirectoryBackup | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes (domain joined systems only) |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsOs | 7 | Windows 10 1511+ | Windows Server 2016+ | Yes |
+| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsFdv | 7 | Windows 10 1511+ | Windows Server 2016+  | No |
 | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives | Enabled | XTS-AES 256-bit *or* AES-CBC 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsRdv  | 4 *or* 7 | Windows 10 1511+ | Windows Server 2016+ | No |
 | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) > Select encryption method | Enabled | AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodNoDiffuser | 4 | Windows 8 - Windows 10 1507 | Windows Server 2012 - Windows Server 2012 R2 | Yes |
 | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption method | Enabled | AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethod | 2 | Windows Vista - Windows 7 | Windows Server 2008 - Windows Server 2008 R2 | Yes |