Require additional authentication at startup

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

Supported on: At least Windows 7
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\FVE
Value NameUseAdvancedStartup
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\FVE
Value NameEnableBDEWithNoTPM
Value TypeREG_DWORD
Default Value1
True Value1
False Value0

Settings for computers with a TPM:

Configure TPM startup:


  1. Allow TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPM
    Value TypeREG_DWORD
    Value2
  2. Require TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPM
    Value TypeREG_DWORD
    Value1
  3. Do not allow TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPM
    Value TypeREG_DWORD
    Value0

Configure TPM startup PIN:


  1. Allow startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMPIN
    Value TypeREG_DWORD
    Value2
  2. Require startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMPIN
    Value TypeREG_DWORD
    Value1
  3. Do not allow startup PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMPIN
    Value TypeREG_DWORD
    Value0

Configure TPM startup key:


  1. Allow startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKey
    Value TypeREG_DWORD
    Value2
  2. Require startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKey
    Value TypeREG_DWORD
    Value1
  3. Do not allow startup key with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKey
    Value TypeREG_DWORD
    Value0

Configure TPM startup key and PIN:


  1. Allow startup key and PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKeyPIN
    Value TypeREG_DWORD
    Value2
  2. Require startup key and PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKeyPIN
    Value TypeREG_DWORD
    Value1
  3. Do not allow startup key and PIN with TPM
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSOFTWARE\Policies\Microsoft\FVE
    Value NameUseTPMKeyPIN
    Value TypeREG_DWORD
    Value0


volumeencryption.admx

Administrative Templates (Computers)

Administrative Templates (Users)