Policy
Validate smart card certificate usage rule compliance
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default object identifier is 1.3.6.1.4.1.311.67.1.1 Note: BitLocker does not require that a certificate have an EKU attribute, but if one is configured for the certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker. If you enable this policy setting, the object identifier specified in the "Object identifier" box must match the object identifier in the smart card certificate. If you disable or do not configure this policy setting, a default object identifier is used.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Object identifier: ID UserCertificateOID | text | HKLM\Software\Policies\Microsoft\FVE\CertificateOID Type REG_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerChoose default folder for recovery passwordAt least Windows Vista
- ComputerChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)At least Windows Server 2016, Windows 10
- ComputerChoose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])At least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerChoose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)Windows Server 2008 and Windows Vista
- ComputerDisable new DMA devices when this computer is lockedAt least Windows Server 2016, Windows 10 Version 1703
- ComputerPrevent memory overwrite on restartWindows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008, Windows 7, and Windows Vista
- ComputerProvide the unique identifiers for your organizationAt least Windows Server 2008 R2 or Windows 7
- ComputerStore BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)Windows Server 2008 and Windows Vista