Policy
Configure use of hardware-based encryption for removable data drives
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows8, WindowsServer2012
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability. Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVHardwareEncryption | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Restrict crypto algorithms or cipher suites to the following: ID RDVAllowedAlgos | text | HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowedHardwareEncryptionAlgorithms Type REG_SZ | None |
Use BitLocker software-based encryption when hardware encryption is not available ID RDVUseSW | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVAllowSoftwareEncryptionFailover Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption ID RDVRestrictAlgos | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\RDVRestrictHardwareEncryptionAlgorithms Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow access to BitLocker-protected removable data drives from earlier versions of WindowsAt least Windows Server 2008 R2 or Windows 7 through Windows Server 2022 or Windows 11 Version 22H2
- ComputerChoose how BitLocker-protected removable drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure use of passwords for removable data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure use of smart cards on removable data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerControl use of BitLocker on removable drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerDeny write access to removable drives not protected by BitLockerAt least Windows Server 2008 R2 or Windows 7
- ComputerEnforce drive encryption type on removable data drivesAt least Windows Server 2012 or Windows 8