Control 3.13.11 Information – BitLocker Setup

NIST 800-171 control 3.13.11 dictates that FIPS-validated cryptography is used when protecting the confidentiality of CUI. BitLocker is FIPS-validated, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2. When encrypting devices with BitLocker, please be sure to follow the steps below to ensure that the encryption used is within parameters of control 3.13.11.

Option 1: Local Security Policy

  • Open Local Security Policy as administrator
  • Navigate to Local Policies => Security Options
  • Set System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to be Enabled
  • Then, encrypt the machine using BitLocker

Option 2: Domain Group Policy

  • Open Group Policy Management
  • Choose one of the following options:
    • To use an existing GPO to configure the necessary setting, link the _Campus-NIST800-171-FIPS-Compliant-BitLocker GPO to the OU where the computers in question reside.
    • Otherwise: Locate an existing GPO or create a new GPO, right click it, and then select Edit
      • When the Group Policy Management Editor opens, navigate to Policies => Windows Settings => Security Settings => Local Policies => Security Options
      • Locate System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and open it

      • Ensure the policy is defined and set to Enabled, and then click OK.

  • Ensure the GPO is applied to the machine to be encrypted with BitLocker.
  • Finally, encrypt the machine with BitLocker.

Special Case: Windows 7 Machine

If the machine is a Windows 7 machine, another step will need to be completed. As recovery passwords aren’t FIPS 140-2 compliant, any recovery passwords will need to be removed. This issue was resolved in Windows 8 and above. To ensure the Windows 7 machine is compliant:

  • Open CMD as an administrator
  • Run the following command:
    • manage-bde -protectors -get c:
      • Be sure to replace “c:” with the letter of the encrypted drive.
    • In the result, locate ID: under Numerical Password: and copy the value
      • Example value: {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}


  • When you have the value, run the following command to delete the recovery password:
    • manage-bde -protectors -delete c: -id {########-####-####-####-############}
      • Again, be sure to replace the drive letter as necessary.

Recovery Options

To ensure the drive is recoverable, a few options are:

Additional Information

For more information, please navigate to this link: How to Make Your Existing BitLocker Encrypted Environment FIPS Compliant