Policy
Use enhanced Boot Configuration Data validation profile
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default settings, or both. If you disable this policy setting, the computer will revert to a BCD profile similar to the default BCD profile used by Windows 7. If you do not configure this policy setting, the computer will verify the default Windows BCD settings. Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data (BCD) integrity validation, as defined by the "Allow Secure Boot for integrity validation" group policy, the "Use enhanced Boot Configuration Data validation profile" group policy is ignored. The setting that controls boot debugging (0x16000010) will always be validated and will have no effect if it is included in the provided fields.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\FVE\OSUseEnhancedBcdProfile | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
EnhancedBcdProfile_AdditionalSecurityCriticalSettings ID EnhancedBcdProfile_AdditionalSecurityCriticalSettings | list | HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalSecurityCriticalSettings Type REG_MULTI_SZ | None |
EnhancedBcdProfile_AdditionalExcludedSettings ID EnhancedBcdProfile_AdditionalExcludedSettings | list | HKLM\Software\Policies\Microsoft\FVE\OSBcdAdditionalExcludedSettings Type REG_MULTI_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.At least Windows Server 2016, Windows 10 Version 1703
- ComputerAllow enhanced PINs for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow network unlock at startupAt least Windows Server 2012 or Windows 8
- ComputerAllow Secure Boot for integrity validationAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose how BitLocker-protected operating system drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure minimum PIN length for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure pre-boot recovery message and URLAt least Windows Server 2016 or Windows 10
- ComputerConfigure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerConfigure TPM platform validation profile for BIOS-based firmware configurationsAt least Windows Server 2012 or Windows 8
- ComputerConfigure TPM platform validation profile for native UEFI firmware configurationsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of hardware-based encryption for operating system drivesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of passwords for operating system drivesAt least Windows Server 2012 or Windows 8