Reference Guide
Manage Policies
148
Configure TPM Startup Allow
Do Not Allow
Require
Allow
On computers with a compatible
TPM, three types of authentication
are supported. Only one of the
following can be required or
allowed:
Configure TPM Startup PIN
Configure TPM Startup Key
Configure TPM Startup Key and
PIN
To use this policy, Require
Additional Authentication at
System Startup must be set to
Selected.
Configure TPM Startup PIN Allow
Do Not Allow
Require
Allow
To use this policy, Require
Additional Authentication at
System Startup must be set to
Selected.
This type of authentication
involves the entry of a 4-digit
to 20-digit personal identification
number (PIN).
Configure TPM Startup Key Do Not Allow
Do Not Allow
Require
Allow
To use this policy, Require
Additional Authentication at
System Startup must be set to
Selected.
This type of authentication
involves insertion of a USB drive
containing the startup key.
Configure TPM Startup Key and
PIN
Do Not Allow
Do Not Allow
Require
Allow
To use this policy, Require
Additional Authentication at
System Startup must be set to
Selected.
This type of authentication
involves a 4-digit to 20-digit
personal identification number
(PIN) and a USB drive containing
the startup key.
Encryption Method and Cipher
Strength (OS Volumes)
XTS-AES-128
AES-128
AES-256
XTS-AES-128 (for use with
Windows 10 Anniversary Edition
and later)
XTS-AES-256 (for use with
Windows 10 Anniversary Edition
and later)
Algorithm and cipher strength
used by
BitLocker Drive Encryption
for OS Volumes.