Policy selection for ADMX packs

Policy overview

Key metadata and intent for this policy.

ClassComputer

CategoryWindows Components > BitLocker Drive Encryption > Operating System Drives

Supported onWindows Server 2008 and Windows Vista

Supported OS tags: WindowsServer2008, WindowsVista

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker. Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista. On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN). A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive. If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM. If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

Internal name

ConfigureStartupUsage_Name

Policy ID

b36318a84679

Elements

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

Element	Type	Registry mapping	Constraints & behavior
Configure TPM startup key: ID ConfigureTPMStartupKeyUsageDropDown_Name	enum	HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey Type REG_DWORD	Options: Allow startup key with TPM (2), Require startup key with TPM (1), Do not allow startup key with TPM (0)
Configure TPM startup PIN: ID ConfigurePINUsageDropDown_Name	enum	HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN Type REG_DWORD	Options: Allow startup PIN with TPM (2), Require startup PIN with TPM (1), Do not allow startup PIN with TPM (0)
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) ID ConfigureNonTPMStartupKeyUsage_Name	boolean	HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM Type REG_DWORD	Options: true (1), false (0) True: Set value = 1 · False: Set value = 0

Other policies in this category

Explore related policies at the same level.

View all policies in this category