TCGSecurityActivationDisabled specifies whether Windows® automatically configures encrypted drives (eDrives), also known as encrypted hard disk drives (eHDDs).

TCGSecurityActivationDisabled sets the Group Policy administrative template setting: Do not automatically encrypt files moved to encrypted folders. This Group Policy setting is used after Windows is installed and started up. The setting specifies, for unprovisioned eDrives, whether security should be activated on the eDrive during provisioning. Use the DisableEncryptedDiskProvisioning unattend setting for configuring the operating system installation for the target HDD.

The eDrive must be configured in the unattend file by using the settings in Microsoft-Windows-Setup\DiskConfiguration\Disk. If the drives are configured manually, then the eDrive configuration policy may not be properly configured.



Specifies that Windows does not automatically encrypt eDrives.


Specifies that Windows automatically encrypts eDrives. This is the default value.

Valid Configuration Passes


Parent Hierarchy

Microsoft-Windows-EnhancedStorage-Adm | TCGSecurityActivationDisabled

Applies To

For a list of the Windows editions and architectures that this component supports, see Microsoft-Windows-EnhancedStorage-Adm.

XML Example

The following XML output shows how to configure Windows so that Windows does not automatically encrypt eDrives.

  Copy Code

See Also