CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker's software-based encryption depending on how the algorithms and key lengths compare.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE:FDVAllowedHardwareEncrypti onAlgorithms

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42 :

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following: Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

None - this value is ignored when the checkbox above it ( Restrict encryption algorithms and cipher suites allowed for hardware-based encryption ) is False (unchecked), as is required in Rule 18.9.11.1.12. If that checkbox is set to True (checked), then the encryption algorithms permitted on fixed drives would be restricted to the specified object identifiers (OIDs).

Default Value:

Encryption algorithms and cipher suites are not restricted for hardware-based encryption on fixed drives.

References:

1. CCE-33080-3

814 | P a g e