Skip to main content
Factory Encrypted Drives

You can install Windows on factory-encrypted drives, also known as encrypted hard disk drives (eHDD). A factory-encrypted drive is a drive that is capable of full-disk encryption.

By default, when you install Windows on a factory-encrypted drive, Windows automatically encrypts the drive by using Trusted Computing Group (TCG) and IEEE 1667 transport encryption standards.


To install Windows onto a factory-encrypted drive, use the following:

  1. Firmware: UEFI version 2.3.1 that has been configured to use the EFI storage security protocol.

  2. Hardware: a hard disk drive that is capable of using TCG and IEEE 1667 transport encryption standards.

Using other encryption standards

To use another encryption standard on your drive, you must first disable the automatic drive provisioning that Windows provides. To do this on a new installation, set the Microsoft-Windows-EnhancedStorage-Adm/TCGSecurityActivationDisabled Unattend setting to true. For more information, see the Unattended Windows Setup Reference.

Related topics

Hard Drives and Partitions



Send comments about this topic to Microsoft