CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker's software-based encryption depending on how the algorithms and key lengths compare.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE:OSHardwareEncryption

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure use of hardware-based encryption for operating system drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

Hardware-based encryption can improve performance of both read and write operations to the storage drive.

Default Value:

BitLocker will use hardware-based encryption with the encryption algorithm set for the operating system drive. If hardware-based encryption is not available, BitLocker software- based encryption will be used instead.

References:

1. CCE-33167-8

852 | P a g e