Require additional authentication at startup (Windows Server 2008 and Windows Vista)

This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.

Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vista.

On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN).

A USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.

If you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.

If you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

Supported on: Windows Server 2008 and Windows Vista

Allow BitLocker without a compatible TPM
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\FVE
Value NameEnableNonTPM
Value TypeREG_DWORD
Default Value1
True Value1
False Value0

(requires a startup key on a USB flash drive)

Settings for computers with a TPM:

Configure TPM startup key:


  1. Allow startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePartialEncryptionKey
    Value TypeREG_DWORD
    Value2
  2. Require startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePartialEncryptionKey
    Value TypeREG_DWORD
    Value1
  3. Do not allow startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePartialEncryptionKey
    Value TypeREG_DWORD
    Value0

Configure TPM startup PIN:


  1. Allow startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePIN
    Value TypeREG_DWORD
    Value2
  2. Require startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePIN
    Value TypeREG_DWORD
    Value1
  3. Do not allow startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUsePIN
    Value TypeREG_DWORD
    Value0

Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.

Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.


volumeencryption.admx

Administrative Templates (Computers)

Administrative Templates (Users)