Policy
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016
This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant hardware. If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. If this policy is not enabled, the options of "Require additional authentication at startup" policy apply.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\FVE\OSEnablePreBootPinExceptionOnDECapableDevice | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerAllow enhanced PINs for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow network unlock at startupAt least Windows Server 2012 or Windows 8
- ComputerAllow Secure Boot for integrity validationAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose how BitLocker-protected operating system drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure minimum PIN length for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure pre-boot recovery message and URLAt least Windows Server 2016 or Windows 10
- ComputerConfigure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerConfigure TPM platform validation profile for BIOS-based firmware configurationsAt least Windows Server 2012 or Windows 8
- ComputerConfigure TPM platform validation profile for native UEFI firmware configurationsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of hardware-based encryption for operating system drivesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of passwords for operating system drivesAt least Windows Server 2012 or Windows 8
- ComputerDisallow standard users from changing the PIN or passwordAt least Windows Server 2012 or Windows 8