Geoff Chappell - Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
The main DLL for user-mode access to kernel-mode BitLocker support, i.e., FVEAPI.DLL, checks its operations against very many registry values that serve as Group Policy settings. Almost all have user-interface support through the Local Group Policy Editor, specifically in the BitLocker Drive Encryption administrative template displayed under Windows Components. Something like the explanatory text from this user interface is also published online as Microsoft’s documentation of BitLocker’s configurability.
When BitLocker was new, roughly half a dozen DLLs for user-mode BitLocker support each read for themselves by their own methods their own selection of BitLocker policy settings. For Windows 8, Microsoft unified this into library code that is linked into each of these DLLs. Most of the policy settings are organised into tables which are reproduced in each DLL. Each table gives for each setting the applicable registry key, the registry value and (optionally) the default for the data. For some settings, this tablular definition is at best a basis for interpretation. For a few, it is not even relevant, notably because the setting continues to be interpreted by old code.
If only for now, this page lists only the settings that are defined in the library’s tables. It may therefore not be comprehensive as a list of BitLocker policy settings even for modern versions. It certainly misses settings that are specific to early versions. If you need a comprehensive listing of all registry values that are any sort of BitLocker policy setting, then please do ponder how it is that you are left to look for one (both by Microsoft and by the wider industry that writes about BitLocker as if to be not just helpful but authoritative).
Almost all of the Group Policy settings for BitLocker are in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE. A large set of them—25 that are specialised to selecting which Platform Configuration Registers count for BitLocker’s platform validation profile—are instead in one of three possible subkeys. Two settings can alternatively be in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE. For two more, duplicated entries in the table suggest that although a choice of key is not offered, it may have been intended or anticipated.
To the library code for loading the registry keys from which to read the settings, this pair of keys in the Software and System branches of HKEY_LOCAL_MACHINE are just the root policy keys. There is also a notion of volume policy. (These names are taken from the names of internal routines, as known from public symbol files.) The volume policy is, or would be, read from the SOFTWARE and SYSTEM hives in the Windows\System32\Config directory of a particular volume, specifically such that the two usual keys would instead be
The plain intention is that a BitLocker-protected volume that Windows might be booted from, with the usual keys then supplying the root policy, can have alternatiive policy settings that apply just to this volume when accessed for some special purpose. What this purpose might be, whether just for testing or for some type of recovery, is not known since no software that uses the library code is yet known to have code for calling it with the arguments that would load the volume policy. Further study is required.
It is, of course, just an implementation detail, but the library code organises its definitions of policy settings into separate tables for different types of registry value: dword, string and multi-string. Public symbol files for Windows 8 and higher show that each table has an enumeration for indexing a setting within the table: eFveGpDwSetting, eFveGpStrSetting and eFveGpMultiStrSetting. Public symbol files for Windows 8.1 and higher show that each table is an array of a templated structure named POLICY_REGISTRY_INFO, with a different template argument for each type of registry value. For a reverse-engineered list of the defined settings, it is only natural to follow the implementation, including to separate the types.
The vast majority of BitLocker policy settings are integers. Unless otherwise noted, FVEAPI requires that the registry value has REG_DWORD as the type of its data (in contrast, for instance, to accepting four bytes of REG_BINARY data). Most of these settings require the REG_DWORD type not because they range widely as integers but because they are boolean or take values from an enumeration. Classification of these cases is a work in progress.
Unless otherwise noted, “boolean” in parentheses signifies a conventional intepretation of 0 as false, 1 as true, and anything else as invalid.
The most extensively used enumeration is named by public symbol files as eFveGpConfigurationState. It is indicated by “configuration state” in parentheses. Microsoft’s names for the members are not known. One interpretation is that 0 and 1 are disabled and enabled, respectively, and that 2 means the setting is explicitly not configured. The last is typically the default, but cases exist for which the data’s presence as 2 produces different behaviour from when the data is simply not present or is defaulted for not being 0, 1, or 2.
Another enumeration named by public symbol files is eFveGpPermission. It is indicated below by “permission” in parentheses. Its defined values are 0, 1, 2 and 3, meaning respectively to disallow, require or allow the behaviour, with 3 meaning the behavour is explicitly not configured.
Do not rely on the descriptions below to capture the consequences of data that is invalid for being out of its defined range.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | EncryptionMethod |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.0 and higher |
The EncryptionMethod value has user-interface support through the Local Group Policy Editor as
Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
in the BitLocker Drive Encryption administrative template. The user interface’s drop-down box offers the following interpretations of the data:
As made plain by the user-interface description, this value has long been superseded. Its first replacement was EncryptionMethodNoDiffuser (see next) in version 6.2. This and later versions retain EncryptionMethod as a fallback for when newer values are not present, but the Diffuser is not supported for new encryption, and so 1 and 2 are treated as 3 and 4.
Starting with the 1511 release of Windows 10, FVEAPI looks first for EncryptionMethodWithXtsOs and similar values (see far below), which have the advantage of allowing different encryption methods for different types of drive. These new registry values also provide for new encryption methods, represented by 6 and 7, which happen also to be meaningful for this superseded value if it is fallen back to.
What gets chosen for the encryption method when not specified (or if 0 is specified) is more complicated than is suggested by the parentheses in the user-interface descriptions. Definitive enumeration awaits further study.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | EncryptionMethodNoDiffuser |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.2 and higher |
The EncryptionMethodNoDiffuser value has user-interface support through the Local Group Policy Editor as
Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
in the BitLocker Drive Encryption administrative template. The user interface’s drop-down box offers the following interpretations of the data:
This value superseded EncryptionMethod (see preceding). It is in turn superseded by EncryptionMethodWithXtsOs and similar values (see far below). It is still read as a fallback when the applicable new value is not present. The new values have the advantage of allowing different encryption methods for different types of drive. They also provide for new encryption methods, represented by 6 and 7, which happen also to be meaningful for EncryptionMethodNoDiffuser.
What gets chosen for the encryption method when not specified (or if 0 is specified) is more complicated than is suggested by the parentheses in the user-interface descriptions. Definitive enumeration awaits further study.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\PlatformValidation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI |
| Value: | Enabled |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.0 to 6.1 in PlatformValidation; 6.2 and higher in PlatformValidation_BIOS and PlatformValidation_UEFI |
Before version 6.2, the Enabled value is meaningful only in the PlatformValidation key. Later versions select the key according to the FIRMWARE_TYPE as learnt from a SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure that gets filled by the NtQuerySystemInformation function when given the (undocumented) information class SystemBootEnvironmentInformation. Anything other than FirmwareTypeBios and FirmwareTypeUefi (for the second and third keys, respectively) is treated as invalid. There is no fallback to the first key, which these versions have in their table but can never use.
In each of the three possible keys, the Enabled value has user-interface support through the Local Group Policy Editor as the following items in the Operating System Drives category of the BitLocker Drive Encryption administrative template:
The user interface for each Enabled value has 24 check-boxes, one for each Platform Configuration Register (PCR). These configure the 0 to 23 values (see next) in the same registry key.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\PlatformValidation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI |
| Value: | 0 to 23 inclusive |
| Type: | REG_DWORD (boolean) |
| Default: | none |
| Versions: | 6.0 to 6.1 in PlatformValidation; 6.2 and higher in PlatformValidation_BIOS and PlatformValidation_UEFI |
The values 0 to 23 have user-interface support through the Local Group Policy Editor as check-boxes in the user-interface support for the Enabled value (see preceding) in the same key. Each check box corresponds to one numbered Platform Configuration Register (PCR). In the PlatformValidation and OSPlatformValidation_BIOS keys, these are labelled:
with “Reserved for Future Use” continuing from PCR 12 to PCR 23. The labelling for the OSPlatformValidation_UEFI key differs, often just by some understandable re-interpretation but in some cases significantly, as where Boot Manager moves from PCR 10 to PCR 4:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseAdvancedStartup |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.1 and higher |
The UseAdvancedStartup value has user-interface support through the Local Group Policy Editor as
Require additional authentication at startup
in the Operating System Drives category of the BitLocker Drive Encryption administrative template. This user interface has a check-box and four drop-down boxes which configure the next five registry values: EnableBDEWithNoTPM, UseTPM, UseTPMPIN, UseTPMKey and UseTPMKeyPin.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | EnableBDEWithNoTPM |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The EnableBDEWithNoTPM value has user-interface support through the Local Group Policy Editor as a check-box labelled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
in the user-interface support for the UseAdvancedStartup value (see preceding).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseTPM |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
The UseTPM value has user-interface support through the Local Group Policy Editor as a drop-down box labelled
Configure TPM startup:
in the user-interface support for the UseAdvancedStartup value (see above). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseTPMPIN |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The UseTPMPIN value has user-interface support through the Local Group Policy Editor as a drop-down box labelled
Configure TPM startup PIN:
in the user-interface support for the UseAdvancedStartup value (see above). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseTPMKey |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The UseTPMKey value has user-interface support through the Local Group Policy Editor as a drop-down box labelled
Configure TPM startup key:
in the user-interface support for the UseAdvancedStartup value (see above). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseTPMKeyPin |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The UseTPMKeyPin value has user-interface support through the Local Group Policy Editor as a drop-down box labelled
Configure TPM startup key and PIN:
in the user-interface support for the UseAdvancedStartup value (see above). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | MinimumPIN |
| Type: | REG_DWORD |
| Default: | 4 in 6.1 to 1607; 6 in 1703 and higher |
The MinimumPIN value has user-interface support through the Local Group Policy Editor as
Configure minimum PIN length for startup
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | UseEnhancedPin |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The UseEnhancedPin value has user-interface support through the Local Group Policy Editor as
Allow enhanced PINs for startup
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVDenyCrossOrg |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The RDVDenyCrossOrg value has user-interface support through the Local Group Policy Editor as a check-box labelled
Do not allow write access to devices configured in another organization
in the user-interface support for the RDVDenyWriteAccess value (see below).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | IdentificationField |
| Type: | REG_DWORD or REG_BINARY |
| Default: | 2 |
| Versions: | 6.1 and higher |
The IdentificationField value has user-interface support through the Local Group Policy Editor as
Provide the unique identifiers for your organization
in the BitLocker Drive Encryption administrative template. The user interface has text boxes for the IdentificationFieldString and SecondaryIdentificationField values (see far below).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSRecovery FDVRecovery RDVRecovery |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.1 and higher |
The OSRecovery, FDVRecovery and RDVRecovery values have user-interface support through the Local Group Policy Editor as the following items in their respective categories of the BitLocker Drive Encryption administrative template:
This user interface has four check-boxes and three drop-down boxes for the next seven sets of values: OSManageDRA, OSRecoveryPassword, OSRecoveryKey, OSHideRecoveryPage, OSActiveDirectoryBackup, OSActiveDirectoryInfoToStore and OSRequireActiveDirectoryBackup and similarly for fixed drives and removable drives.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSRecoveryPassword FDVRecoveryPassword RDVRecoveryPassword |
| Type: | REG_DWORD (permission) |
| Default: | 2 |
| Versions: | 6.1 and higher |
Each of the OSRecoveryPassword, FDVRecoveryPassword and RDVRecoveryPassword values has user-interface support through the Local Group Policy Editor as the first drop-down box beneath the label
Configure user storage of BitLocker recovery information:
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see preceding). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSRecoveryKey FDVRecoveryKey RDVRecoveryKey |
| Type: | REG_DWORD (permission) |
| Default: | 2 |
| Versions: | 6.1 and higher |
Each of the OSRecoveryKey, FDVRecoveryKey and RDVRecoveryKey values has user-interface support through the Local Group Policy Editor as the second drop-down box beneath the label
Configure user storage of BitLocker recovery information:
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see above). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSManageDRA FDVManageDRA RDVManageDRA |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
Each of the OSManageDRA, FDVManageDRA and RDVManageDRA values has user-interface support through the Local Group Policy Editor as a check-box labelled
Allow data recovery agent
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSActiveDirectoryBackup FDVActiveDirectoryBackup RDVActiveDirectoryBackup |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
Each of the OSActiveDirectoryBackup, FDVActiveDirectoryBackup and RDVActiveDirectoryBackup values has user-interface support through the Local Group Policy Editor as a check-box labelled
Save BitLocker recovery information to AD DS for operating system drives
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSRequireActiveDirectoryBackup FDVRequireActiveDirectoryBackup RDVRequireActiveDirectoryBackup |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
Each of the OSRequireActiveDirectoryBackup, FDVRequireActiveDirectoryBackup and RDVRequireActiveDirectoryBackup values has user-interface support through the Local Group Policy Editor as a check-box labelled
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSActiveDirectoryInfoToStore FDVActiveDirectoryInfoToStore RDVActiveDirectoryInfoToStore |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
Each of the OSActiveDirectoryInfoToStore, FDVActiveDirectoryInfoToStore and RDVActiveDirectoryInfoToStore values has user-interface support through the Local Group Policy Editor as the first drop-down box beneath the label
Configure storage of BitLocker recovery information to AD DS:
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see preceding). This drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSHideRecoveryPage FDVHideRecoveryPage RDVHideRecoveryPage |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.2 and higher |
Each of the OSHideRecoveryPage, FDVHideRecoveryPage and RDVHideRecoveryPage values has user-interface support through the Local Group Policy Editor as a check-box labelled
Omit recovery options from the BitLocker setup wizard
in the user-interface support for the corresponding OSRecovery, FDVRecovery or RDVRecovery value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | PreferCspUsage |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.2 and higher |
The PreferCspUsage value has no known user-interface support.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | SelfSignedCertificates |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The SelfSignedCertificates value has no known user-interface support.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | CertChainErrorStatusMask |
| Type: | REG_DWORD |
| Default: | 0x10 |
| Versions: | 6.2 and higher |
The CertChainErrorStatusMask value has no known user-interface support.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSAllowUserCert FDVAllowUserCert |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
The OSAllowUserCert value has no known user-interface support, but the FDVAllowUserCert value has user-interface support through the Local Group Policy Editor as
Configure use of smart cards on fixed data drives
in the Fixed Data Drives category of the BitLocker Drive Encrytion administrative template. This user interface has a check-box for the FDVEnforceUserCert value (see next).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVEnforceUserCert |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
The FDVEnforceUserCert value has user-interface support through the Local Group Policy Editor as a check-box labelled
Require use of smart cards on fixed data drives
in the user-interface support for FDVAllowUserCert (see preceding).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSEnforceUserCert |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The OSEnforceUserCert value has no known user-interface support.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVAllowUserCert |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The RDVAllowUserCert value has user-interface support through the Local Group Policy Editor as
Configure use of smart cards on removable data drives
in the Removable Data Drives category of the BitLocker Drive Encrytion administrative template. This user interface has a check-box for the RDVEnforceUserCert value (see next).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVEnforceUserCert |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The RDVEnforceUserCert value has user-interface support through the Local Group Policy Editor as a check-box labelled
Require use of smart cards on removable data drives
in the user-interface support for RDVAllowUserCert (see preceding).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVPassphrase RDVPassphrase |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.1 and higher |
The FDVPassphrase and RDVPassphrase values have user-interface support through the Local Group Policy Editor as the following in their respective categories of the BitLocker Drive Encryption administrative template:
The user interface has a check-box, a drop-down box and an up-down box for the FDVEnforcePassphrase, FDVPassphraseComplexity and FDVPassphraseLength values (see below), and similarly for removable drives.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSPassphrase |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.2 and higher |
The OSPassphrase value has user-interface support through the Local Group Policy Editor as
Configure use of passwords for operating system drives
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
The user interface has a drop-down box, an up-down box and a chec-box for the OSPassphraseComplexity, OSPassphraseLength and OSPassphraseASCIIOnly values (see below).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVEnforcePassphrase RDVEnforcePassphrase |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
Each of the FDVEnforcePassphrase and RDVEnforcePassphrase values has user-interface support through the Local Group Policy Editor as a check-box labelled
in the user-interface support for the corresponding FDVPassphrase or RDVPassphrase value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVPassphraseComplexity RDVPassphraseComplexity OSPassphraseComplexity |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.1 and higher; but 6.2 and higher for OSPassphraseComplexity |
Each of the FDVPassphraseComplexity, RDVPassphraseComplexity and OSPassphraseComplexity has user-interface support through the Local Group Policy Editor as a drop-box labelled:
in the user-interface support for the corresponding FDVPassphrase, RDVPassphrase or OSPassphrase value (see above). The drop-box offers the following interpretations of the data:
These possibilities are defined formally as an enumeration which public symbol files name eFveGpPassphraseComplexity. What counts as sufficient complexity for a BitLocker password is not subject to BitLocker policy but is instead decided by the NETAPI32 function NetValidatePasswordPolicy (nowadays implemented in SAMCLI) for consistency with wider-ranging policies on password complexity. Specially notable for the local computer is what the Local Group Policy Editor shows as “Password must meet complexity requirements” in Password Policy under Account Policies in the Security Settings under Windows Settings.
There are two essential points of difference between requiring password complexity and merely allowing it. The first is with where the complexity is assessed: require means a domain controller; allow means the local computer. The second is with disposition to the answer: require means the password is rejected without a positive answer from a domain controller; allow means the password is accepted unless the local computer answers specifically that the password is too simple.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVPassphraseLength RDVPassphraseLength OSPassphraseLength |
| Type: | REG_DWORD |
| Default: | 8 |
| Versions: | 6.1 and higher for FDVPassphraseLength
and RDVPassphraseLength; 6.2 and higher for OSPassphraseLength |
Each of the FDVPassphraseLength, RDVPassphraseLength and OSPassphraseLength values has user-interface support through the Local Group Policy Editor as an up-down control labelled:
in the user-interface support for the corresponding FDVPassphrase, RDVPassphrase or OSPassphrase value (see above).
The user interface provides for setting a minimum password length between 8 and 255 inclusive. FVEAPI tolerates 1 to 256 inclusive. Anything outside this range is corrected to the default, as if the setting had been left unspecified. There is no registry value for a maximum password length: this is hard-coded as 256.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSPassphraseASCIIOnly |
| Type: | REG_DWORD (boolean) |
| Default: | 0 |
| Versions: | 6.2 and higher |
The OSPassphraseASCIIOnly value has user-interface support through the Local Group Policy Editor as a check-box labelled
Require ASCII-only passwords for removable OS drives
in the user-interface support for the OSPassphrase value (see above). It is not known what the user interface’s description means by “removable OS drives”. For data drives, both fixed and removable, there is no setting to restrict passwords to ASCII characters.
If the dword of data for OSPassphraseASCIIOnly is 1, then characters in passwords must lie between 0x20 and 0x7E inclusive.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE |
| Value: | FDVDenyWriteAccess RDVDenyWriteAccess |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
The FDVDenyWriteAccess and RDVDenyWriteAccess values in the System branch have user-interface support in the Local Group Policy Editor as the following items
in the Fixed Data Drives and Removable Data Drives categories of the BitLocker Drive Encryption administrative template. This user interface for RDVDenyWriteAccess has a check-box for setting the RDVDenyCrossOrg value (see above).
FVEAPI’s table of DWORD policy settings allows both values in both keys, but FVEAPI does not use the table when evaluating these policies. Indeed, no code is yet known that queries for FDVDenyWriteAccess, and RDVDenyWriteAccess is sought only in the System branch. Further study is required.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVConfigureBDE |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.1 and higher |
The RDVConfigureBDE value has user-interface support through the Local Group Policy Editor as
Control use of BitLocker on removable drives
in the Removable Data Drives category of the BitLocker Drive Encryption administrative template. This user interface has check-boxes for the next two values: RDVAllowBDE and RDVDisableBDE.
The RDVConfigureBDE value is listed twice in FVEAPI’s tables, as if it’s intended for two keys (like RDVDenyWriteAccess, see preceding) except that both entries in the table are for the one key.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVAllowBDE |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
The RDVAllowBDE value has user-interface support through the Local Group Policy Editor as a check-box labelled
Allow users to apply BitLocker protection on removable data drives
in the user-interface support for the RDVConfigureBDE value (see preceding).
The RDVAllowBDE value is listed twice in FVEAPI’s tables, as if it’s intended for two keys (like RDVDenyWriteAccess, see above) except that both entries in the table are for the one key.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RDVDisableBDE |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.1 and higher |
The RDVDisableBDE value has user-interface support through the Local Group Policy Editor as a check-box labelled
Allow users to suspend and decrypt BitLocker protection on removable data drives
in the user-interface support for the RDVConfigureBDE value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVNoBitLockerToGoReader RDVNoBitLockerToGoReader |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.1 and higher |
Each of the FDVNoBitLockerToGoReader and RDVNoBitLockerToGoReader values have user-interface support through the Local Group Policy Editor as a check-box labelled
in the user-interface support for the FDVDiscoveryVolumeType and RDVDiscoveryVolumeType values (see below).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSEncryptionType FDVEncryptionType RDVEncryptionType |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 6.2 and higher |
The OSEncryptionType, FDVEncryptionType and RDVEncryptionType values have user-interface support through the Local Group Policy Editor as
in their respective categories of the BitLocker Drive Encryption administrative template. For each, the user interface’s drop-down box offers the following interpretations of the data:
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | DisallowStandardPINReset |
| Type: | REG_DWORD (boolean) |
| Default: | 0 |
| Versions: | 6.2 and higher |
The DisallowStandardPINReset value has user-interface support through the Local Group Policy Editor as
Disallow standard users from changing the PIN or password
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | TpmAutoReseal |
| Type: | REG_DWORD |
| Default: | 1 |
| Versions: | 6.2 and higher |
The TpmAutoReseal value has user-interface support through the Local Group Policy Editor as
Reset platform validation data after BitLocker recovery
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSHardwareEncryption FDVHardwareEncryption RDVHardwareEncryption |
| Type: | REG_DWORD (configuration state) |
| Default: | 2 |
| Versions: | 6.2 and higher |
The OSHardwareEncryption, FDVHardwareEncryption and RDVHardwareEncryption values have user-interface support through the Local Group Policy Editor as
in their respective categories of the BitLocker Drive Encryption administrative template. The user interface has two check-boxes and one text-box for the OSAllowSoftwareEncryptionFailover, OSRestrictHardwareEncryptionAlgorithms and OSAllowedHardwareEncryptionAlgorithms values, and similarly for fixed drives and removable drives.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSAllowSoftwareEncryptionFailover FDVAllowSoftwareEncryptionFailover RDVAllowSoftwareEncryptionFailover |
| Type: | REG_DWORD (boolean) |
| Default: | 1 |
| Versions: | 6.2 and higher |
The OSAllowSoftwareEncryptionFailover, FDVAllowSoftwareEncryptionFailover and RDVAllowSoftwareEncryptionFailover values each have user-interface support through the Local Group Policy Editor as a checkbox labelled
Use BitLocker software-based encryption when hardware encryption is not available
in the user-interface support for the corresponding OSHardwareEncryption, FDVHardwareEncryption and RDVHardwareEncryption value (see preceding).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSRestrictHardwareEncryptionAlgorithms
FDVRestrictHardwareEncryptionAlgorithms RDVRestrictHardwareEncryptionAlgorithms |
| Type: | REG_DWORD (boolean) |
| Default: | 0 |
| Versions: | 6.2 and higher |
The OSRestrictHardwareEncryptionAlgorithms, FDVRestrictHardwareEncryptionAlgorithms and RDVRestrictHardwareEncryptionAlgorithms values each have user-interface support through the Local Group Policy Editor as a checkbox labelled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption
in the user-interface support for the corresponding OSHardwareEncryption, FDVHardwareEncryption and RDVHardwareEncryption value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSAllowSecureBootForIntegrity |
| Type: | REG_DWORD (boolean) |
| Default: | 1 |
| Versions: | 6.2 and higher |
The OSAllowSecureBootForIntegrity value has user-interface support through the Local Group Policy Editor as
Allow Secure Boot for integrity validation
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSEnablePrebootInputProtectorsOnSlates |
| Type: | REG_DWORD (boolean) |
| Default: | 0 |
| Versions: | 6.2 and higher |
The OSEnablePrebootInputProtectorsOnSlates value has user-interface support through the Local Group Policy Editor as
Enable use of BitLocker authentication requiring preboot keyboard input on slates
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSUseEnhancedBcdProfile |
| Type: | REG_DWORD |
| Default: | 2 |
| Versions: | 6.2 and higher |
The OSUseEnhancedBcdProfile value has user-interface support through the Local Group Policy Editor as
Use enhanced Boot Configuration Data validation profile
in the Operating System Drives category of the BitLocker Drive Encryption administrative template. The user interface has two multi-line text boxes for the OSBcdAdditionalSecurityCriticalSettings and OSBcdAdditionalExcludedSettings values (see below).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RecoveryKeyMessageSource |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 10.0 and higher |
The RecoveryKeyMessageSource value has user-interface support through the Local Group Policy Editor as
Configure pre-boot recovery message and URL
in the Operating System Drives category of the BitLocker Drive Encryption administrative template. The user interface’s drop-down box offers the following interpretations of the data:
The user interface also has two text-boxes for configuring the RecoveryKeyMessage and RecoveryKeyUrl values (see below).
The RecoveryKeyMessageSource value is interpreted by BDESVC.DLL to affect the Boot Configuration Data (BCD) options fverecoverymessage and fverecoveryurl. If the data for RecoveryKeyMessageSource is 2 or 3, then fverecoverymessage or fverecoveryurl is set from the string data for the RecoveryKeyMessage or RecoveryKeyUrl value (see below), and the other BCD option is deleted. For any other non-zero data, both BCD options are deleted.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | EncryptionMethodWithXtsOs EncryptionMethodWithXtsFdv EncryptionMethodWithXtsRdv |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 1511 and higher |
The EncryptionMethodWithXtsOs, EncryptionMethodWithXtsFdv and EncryptionMethodWithXtsRdv values have user-interface support through the Local Group Policy Editor as
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
in the BitLocker Drive Encryption administrative template. The user interface has three drop-down boxes, one for each registry value:
Each drop-down box offers the following interpretations of the data:
but with “(default)” shifting from 6 to 3 for EncryptionMethodWithXtsRdv.
In the absence of the applicable value for the volume type, FVEAPI falls back to the superseded values EncryptionMethodNoDiffuser and EncryptionMethod (in decreasing priority). All values have the same interpretation for their data: 1 and 2 are treated as 3 and 4; 0 leaves the method unspecified; anything else is invalid.
What gets chosen for the encryption method when not specified by these registry values is more complicated than is suggested by the parentheses in the user-interface descriptions. Definitive enumeration awaits further study.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSEnablePreBootPinExceptionOnDECapableDevice |
| Type: | REG_DWORD |
| Default: | 0 |
| Versions: | 1703 and higher |
The OSEnablePreBootPinExceptionOnDECapableDevice value has user-interface support through the Local Group Policy Editor as
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
in the Operating System Drives category of the BitLocker Drive Encryption administrative template.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | DisableExternalDMAUnderLock |
| Type: | REG_DWORD (boolean) |
| Default: | 0 |
| Versions: | 1703 and higher |
The DisableExternalDMAUnderLock value has user-interface support through the Local Group Policy Editor as
Disable new DMA devices when this computer is locked
in the BitLocker Drive Encryption administrative template.
The DisableExternalDMAUnderLock value is another that is in the tables that user-mode BitLocker components pick up from a statically linked library but which is not interpreted by FVEAPI. It is intended instead for BDESVC.DLL, which takes it as one of two inputs for setting the same-named value in the key SYSTEM\CurrentControlSet\Control\pnp\pci for interpretation in kernel-mode by the PCI.SYS driver.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | IdentificationFieldString |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 6.1 and higher |
The IdentificationFieldString value has user-interface support through the Local Group Policy Editor as a text box labelled
BitLocker identification field:
in the user-interface support for the IdentificationField value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | SecondaryIdentificationField |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 6.1 and higher |
The SecondaryIdentificationField value has user-interface support through the Local Group Policy Editor as a text box labelled
Allowed BitLocker identification field:
in the user-interface support for the IdentificationField value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | DefaultRecoveryFolderPath |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 6.2 and higher |
The DefaultRecoveryFolderPath value has user-interface support through the Local Group Policy Editor as
Choose default folder for recovery password
in the BitLocker Drive Encryption administrative template.
The DefaultRecoveryFolderPath value is not known to be read by FVEAPI. It is instead interpreted by FVEUI.DLL in version 6.0 and in later versions by FVEWIZ.DLL.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | FDVDiscoveryVolumeType RDVDiscoveryVolumeType |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 6.1 and higher |
The FDVDiscoveryVolumeType and RDVDiscoveryVolumeType values have user-interface support through the Local Group Policy Editor as
in their respective categories of the BitLocker Drive Encryption administrative template. Enabling the policy sets the string data to FAT32. The user interface has a check-box for the corresponding FDVNoBitLockerToGoReader or RDVNoBitLockerToGoReader value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSAllowedHardwareEncryptionAlgorithms
FDVAllowedHardwareEncryptionAlgorithms RDVAllowedHardwareEncryptionAlgorithms |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 6.2 and higher |
The OSAllowedHardwareEncryptionAlgorithms, FDVAllowedHardwareEncryptionAlgorithms and RDVAllowedHardwareEncryptionAlgorithms values each have user-interface support through the Local Group Policy Editor as a text box labelled
Restrict crypto algorithms or cipher suites to the following:
in the user-interface support for the corresponding OSHardwareEncryption, FDVHardwareEncryption or RDVHardwareEncryption value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RecoveryKeyMessage |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 10.0 and higher |
The RecoveryKeyMessage value has user-interface support through the Local Group Policy Editor as a text box labelled
Custom recovery message option:
in the user-interface support for the RecoveryKeyMessageSource value (see above).
If the dword of data for RecoveryKeyMessageSource is 2, then the string data for RecoveryKeyMessage becomes the value of the BCD option fverecoverymessage.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | RecoveryKeyURL |
| Type: | REG_SZ |
| Default: | none |
| Versions: | 10.0 and higher |
The RecoveryKeyURL value has user-interface support through the Local Group Policy Editor as a text box labelled
Custom recovery URL option:
in the user-interface support for the RecoveryKeyMessageSource value (see above).
If the dword of data for RecoveryKeyMessageSource is 3, then the string data for RecoveryKeyURL becomes the value of the BCD option fverecoveryurl.
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSBcdAdditionalExcludedSettings |
| Type: | REG_MULTI_SZ |
| Default: | none |
| Versions: | 6.2 and higher |
The OSBcdAdditionalExcludedSettings value has user-interface support through the Local Group Policy Editor as a multi-line text box labelled
Exclude the following additional BCD settings:
in the user-interface support for the OSUseEnhancedBcdProfile value (see above).
| Key: | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE |
| Value: | OSBcdAdditionalSecurityCriticalSettings |
| Type: | REG_MULTI_SZ |
| Default: | none |
| Versions: | 6.2 and higher |
The OSBcdAdditionalSecurityCriticalSettings value has user-interface support through the Local Group Policy Editor as a multi-line text box labelled
Verify the following additional BCD settings:
in the user-interface support for the OSUseEnhancedBcdProfile value (see above).