This policy setting allows you to manage whether the operating system drive must be encrypted or not.
For higher security, when enabled with TPM + PIN protector, you may consider disable the following policies in System/Power Management/Sleep Settings:
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Allow Standby States (S1-S3) When Sleeping (On Battery)
If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box (supported on Windows 8 or higher). In this mode a password is required for start-up. If you forget the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a 4-digit to 20-digit personal identification number (PIN).
If you enable this policy setting, the user will have to put the operation system drive under BitLocker protection and drive will be encrypted.
If you disable this policy, the user will not be able to put the operating system drive under BitLocker protection. Note that applying this policy after the operating system drive is encrypted will result in its decryption.
If you do not configure this policy, then it is not required to put the operating system drive under BitLocker protection.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
Value Name | ShouldEncryptOSDrive |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | SOFTWARE\Policies\Microsoft\FVE |
Value Name | EnableBDEWithNoTPM |
Value Type | REG_DWORD |
Default Value | 1 |
True Value | 1 |
False Value | 0 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
Value Name | OSDriveProtector |
Value Type | REG_DWORD |
Value | 1 |
Registry Hive | Registry Path: | Value Name | Value Type | Value |
---|---|---|---|---|
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | DisallowStandardUserPINReset | REG_DWORD | 1 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UsePartialEncryptionKey | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UsePIN | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseAdvancedStartup | REG_DWORD | 1 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPM | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMKey | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMPIN | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMKeyPIN | REG_DWORD | 2 |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
Value Name | OSDriveProtector |
Value Type | REG_DWORD |
Value | 4 |
Registry Hive | Registry Path: | Value Name | Value Type | Value |
---|---|---|---|---|
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | DisallowStandardUserPINReset | REG_DWORD | 1 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UsePartialEncryptionKey | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UsePIN | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseAdvancedStartup | REG_DWORD | 1 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPM | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMKey | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMPIN | REG_DWORD | 2 |
HKEY_LOCAL_MACHINE | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement | UseTPMKeyPIN | REG_DWORD | 2 |
Settings for computers with a TPM:
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\FVE |
Value Name | MinimumPIN |
Value Type | REG_DWORD |
Default Value | 4 |
Min Value | 4 |
Max Value | 20 |