Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'


This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

The recommended state for this setting is: Disabled.


From a security perspective hardware-based encryption may introduce vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or user has not updated the firmware to remediate the vulnerability. For more information visit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring BitLocker to enforce software encryption.


None - this is the default behavior.


To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure use of hardware-based encryption for operating system drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Default Value:

BitLocker will use software-based encryption irrespective of hardware-based encryption availability.

See Also


Item Details


References: 800-53|SC-28, CSCv7|13.6

Plugin: Windows

Control ID: 8e7de747875218361d89d6fd7cfd27d731e145373771fe806687cf25d8bcd406