Configure use of hardware-based encryption for operating system drives

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability. Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

• Computer
  Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.

  At least Windows Server 2016, Windows 10 Version 1703
• Computer
  Allow enhanced PINs for startup

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Allow network unlock at startup

  At least Windows Server 2012 or Windows 8
• Computer
  Allow Secure Boot for integrity validation

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Choose how BitLocker-protected operating system drives can be recovered

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure minimum PIN length for startup

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure pre-boot recovery message and URL

  At least Windows Server 2016 or Windows 10
• Computer
  Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

  Windows Server 2008, Windows 7, and Windows Vista
• Computer
  Configure TPM platform validation profile for BIOS-based firmware configurations

  At least Windows Server 2012 or Windows 8
• Computer
  Configure TPM platform validation profile for native UEFI firmware configurations

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Configure use of passwords for operating system drives

  At least Windows Server 2012 or Windows 8
• Computer
  Disallow standard users from changing the PIN or password

  At least Windows Server 2012 or Windows 8