Policy

Require additional authentication at startup (Windows Server 2008 and Windows Vista)

Microsoft Windows

Back to Operating System DrivesBack to main
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on
Windows Server 2008 and Windows Vista

Supported OS tags: WindowsServer2008, WindowsVista

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista. On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN). A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive. If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM. If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

Internal name
ConfigureStartupUsage_Name
Policy ID
b36318a84679
Elements
3

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Configure TPM startup key:
ID ConfigureTPMStartupKeyUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UsePartialEncryptionKey
Type
REG_DWORD
Options: Allow startup key with TPM (2), Require startup key with TPM (1), Do not allow startup key with TPM (0)
Computer
Configure TPM startup PIN:
ID ConfigurePINUsageDropDown_Name
enum
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UsePIN
Type
REG_DWORD
Options: Allow startup PIN with TPM (2), Require startup PIN with TPM (1), Do not allow startup PIN with TPM (0)
Computer
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
ID ConfigureNonTPMStartupKeyUsage_Name
boolean
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
EnableNonTPM
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Configure TPM startup key:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UsePartialEncryptionKey
Type
REG_DWORD
Details
Options: Allow startup key with TPM (2), Require startup key with TPM (1), Do not allow startup key with TPM (0)
Configure TPM startup PIN:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
UsePIN
Type
REG_DWORD
Details
Options: Allow startup PIN with TPM (2), Require startup PIN with TPM (1), Do not allow startup PIN with TPM (0)
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE
Value name
EnableNonTPM
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0