CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker's software-based encryption depending on how the algorithms and key lengths compare.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE:FDVHardwareEncryption

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of hardware-based encryption for fixed data drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

Hardware-based encryption can improve performance of both read and write operations to the storage drive.

Default Value:

BitLocker will use hardware-based encryption with the encryption algorithm set for fixed drives. If hardware-based encryption is not available, BitLocker software-based encryption will be used instead.

References:

1. CCE-33080-3

806 | P a g e