Disable: 'Configure use of smart cards on fixed data drives' for FDVAllowUserCert This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on fixed data drives" check box. Note: These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives. If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive. Counter Measure: EC: Smart cards use two-factor authentication (something you have and something you know) that provides a higher-level of protection than single-factor authentication. SSLF: Smart cards use two-factor authentication (something you have any something you know) that provides a higher-level of protection than single-factor authentication. Potential Impact: Enable this setting and select "Require use of smart cards on fixed data drives." Use of smart cards requires PKI infrastructure. Users will need to authenticate with the smart card to unlock the fixed drive every time they restart the computer."

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of smart cards on fixed data drives (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\FDVAllowUserCert,FDVEnforceUserCert