Operating system drive encryption settings
This policy setting allows you to manage whether the operating system drive must be encrypted or not.
For higher security, when enabled with TPM + PIN protector, you may consider disable the following policies in System/Power Management/Sleep Settings:
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Allow Standby States (S1-S3) When Sleeping (On Battery)
If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box (supported on Windows 8 or higher). In this mode a password is required for start-up. If you forget the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a 4-digit to 20-digit personal identification number (PIN).
If you enable this policy setting, the user will have to put the operation system drive under BitLocker protection and drive will be encrypted.
If you disable this policy, the user will not be able to put the operating system drive under BitLocker protection. Note that applying this policy after the operating system drive is encrypted will result in its decryption.
If you do not configure this policy, then it is not required to put the operating system drive under BitLocker protection.
Supported on: At least Windows 7
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | ShouldEncryptOSDrive |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
Allow BitLocker without a compatible TPM (requires a password)| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE |
| Value Name | EnableBDEWithNoTPM |
| Value Type | REG_DWORD |
| Default Value | 1 |
| True Value | 1 |
| False Value | 0 |
Select protector for operating system drive:
- TPM only
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name OSDriveProtector Value Type REG_DWORD Value 1 Registry Hive Registry Path: Value Name Value Type Value HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement DisallowStandardUserPINReset REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePartialEncryptionKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseAdvancedStartup REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPM REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMPIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKeyPIN REG_DWORD 2 - TPM and PIN
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name OSDriveProtector Value Type REG_DWORD Value 4 Registry Hive Registry Path: Value Name Value Type Value HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement DisallowStandardUserPINReset REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePartialEncryptionKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseAdvancedStartup REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPM REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMPIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKeyPIN REG_DWORD 2
Settings for computers with a TPM:
Configure minimum PIN length for startup
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE |
| Value Name | MinimumPIN |
| Value Type | REG_DWORD |
| Default Value | 4 |
| Min Value | 4 |
| Max Value | 20 |
bitlockermanagement.admx
- System
- App-V
- CEIP
- Client Coexistence
- Integration
- Publishing
- Reporting
- Scripting
- Streaming
- Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
- Certificate Filter For Client SSL
- Enable Support for BranchCache
- Location Provider
- Package Installation Root
- Package Source Root
- Reestablishment Interval
- Reestablishment Retries
- Require Publish As Admin
- Specify what to load in background (aka AutoLoad)
- Verify certificate revocation list
- Virtualization
- App-V
- Windows Components
- MDOP MBAM (BitLocker Management)
- Client Management
- Fixed Drive
- Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
- Choose how BitLocker-protected fixed drives can be recovered
- Configure use of passwords for fixed data drives
- Deny write access to fixed drives not protected by BitLocker
- Encryption Policy Enforcement Settings
- Fixed data drive encryption settings
- Operating System Drive
- Allow enhanced PINs for startup
- Choose how BitLocker-protected operating system drives can be recovered
- Configure pre-boot recovery message and URL
- Configure TPM platform validation profile for BIOS-based firmware configurations
- Configure TPM platform validation profile for native UEFI firmware configurations
- Configure TPM platform validation profile
- Configure use of passwords for operating system drives
- Encryption Policy Enforcement Settings
- Operating system drive encryption settings
- Reset platform validation data after BitLocker recovery
- Use enhanced Boot Configuration Data validation profile
- Removable Drive
- Allow access to BitLocker-protected removable data drives from earlier versions of Windows
- Choose how BitLocker-protected removable drives can be recovered
- Configure use of passwords for removable data drives
- Control use of BitLocker on removable drives
- Deny write access to removable drives not protected by BitLocker
- Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
- Choose drive encryption method and cipher strength.
- Prevent memory overwrite on restart
- Provide the unique identifiers for your organization
- Validate smart card certificate usage rule compliance
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Contact IT Link Text
- Contact IT URL
- Do not synchronize Windows Apps
- First Use Notification
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Settings template catalog path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Sync Unlisted Windows Apps
- Tray Icon
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- MDOP MBAM (BitLocker Management)
- Windows Components
- MDOP MBAM (BitLocker Management)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Do not synchronize Windows Apps
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications