CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' (Scored)

ProfileApplicability:

 Level 1 (L1) + BitLocker (BL)

 Level 2 (L2) + BitLocker (BL)

 BitLocker (BL) - optional add-on for when BitLocker is deployed

Description:

This policy setting allows you to configure whether you can use BitLocker without a Trusted PlatformModule (TPM), instead using a password or startup key on a USB flash drive. This policy setting is applied when you turn on BitLocker.

The recommended state for this setting is: Enabled: False (unchecked).

Rationale:

TPMwithout use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE:EnableBDEWithNoTPM

867 | P a g e