nsacyber/BitLocker-Guidance nsacyber/BitLocker-Guidance

  • This repository has been archived on 03/Jun/2021
  • Stars
    star
    113
  • Rank 310,115 (Top 7 %)
  • Language
    HTML
  • License
    Other
  • Created almost 7 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nsacyber/BitLocker-Guidance
github

nsacyber

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Configuration guidance for implementing BitLocker. #nsacyber

BitLocker Guidance

About Microsoft BitLocker

Microsoft BitLocker is a full volume encryption feature built into Windows. BitLocker is intended to protect data on devices that have been lost or stolen. BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and Windows 7, in the Professional and Enterprise editions of Windows 8/8.1, and in the Pro, Enterprise, and Education editions of Windows 10. BitLocker is also included in the Windows Server releases of Windows since Window Server 2008.

The Windows 10 BitLocker modules have been validated against NIST FIPS 140-2 program multiple times:

About this repository

This repository hosts Group Policy Objects, compliance checks, and configuration tools in support of implementing BitLocker.

A BitLocker PowerShell module has been provided to aid in provisioning BitLocker on standalone systems. Group Policy and Microsoft SCCM 1910 CB can be used for provisioning BitLocker on domain joined systems.

BitLocker settings

NSA Cybersecurity recommends using the newest BitLocker settings in the Microsoft Windows Security Baseline, available in the Security Compliance Toolkit, with the following modifications:

  • The Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives policy under can be set to XTS-AES 256-bit or AES-CBC 256-bit instead of just AES-CBC 256-bit. AES-CBC 256-bit is allowed so operating system releases before Windows 10 1511 will be able read the encrypted media.
  • The Deny write access to removable drives not protected by BitLocker policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives can be set to Not Configured instead of Enabled. BitLocker is not used for Data Loss Prevention in DoD.
  • The Configure minimum PIN length for startup policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives can be set to 6 or higher instead of 7. A value of 6 aligns with the Mobile Device Fundamentals Protection Profile.
  • The Disable new DMA devices when this computer is locked policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption can be set to Enabled or Not Configured. This policy has known issues that may lead to certain built-in devices (network, audio, etc) not working, or a slow system boot, in Windows 10 1709.
  • Any settings that reinforce default behaviors are considered optional for configuration:
    • Allow Secure Boot for integrity validation policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives can be set to Enabled or Not Configured.
  • PIN settings are only required when a startup PIN is desired.

General settings

View the policies as a CSV which is easier to read than the table below and is also searchable.

Policy Path Policy Name Policy State Policy Value Registry Path Registry Value Name Registry Data Value Applicable Client Applicable Server Required for Applicable OS
Computer Configuration > System > Device Installation > Device Installation Restrictions Prevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs: Enabled PCI\CC_0C0A HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions DenyDeviceIDs 1 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > System > Device Installation > Device Installation Restrictions Prevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs: Enabled HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions DenyDeviceIDsRetroactive 1 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > System > Device Installation > Device Installation Restrictions Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes: Enabled {d48179be-ec20-11d1-b6b8-00c04fa372a7} HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions DenyDeviceClasses 1 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > System > Device Installation > Device Installation Restrictions Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes: Enabled HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions DenyDeviceClassesRetroactive 1 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > System > Power Management > Sleep Settings Allow standby states (S1-S3) when sleeping (on battery) Disabled HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab DCSettingIndex 0 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > System > Power Management > Sleep Settings Allow standby states (S1-S3) when sleeping (plugged in) Disabled HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab ACSettingIndex 0 Windows Vista+ Windows Server 2008+ Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Choose how BitLocker-protected operating system drives can be recovered Enabled HKLM\Software\Policies\Microsoft\FVE OSRecovery 1 Windows 7+ Windows Server 2008 R2+ Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Choose how BitLocker-protected operating system drives can be recovered > Save BitLocker recovery information to AD DS for operating system drives Save BitLocker recovery information to AD DS for operating system drives HKLM\Software\Policies\Microsoft\FVE OSActiveDirectoryBackup 1 Windows 7+ Windows Server 2008 R2+ Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Choose how BitLocker-protected operating system drives can be recovered > Configure storage of BitLocker recovery information to AD DS Store recovery passwords and key packages HKLM\Software\Policies\Microsoft\FVE OSActiveDirectoryInfoToStore 1 Windows 7+ Windows Server 2008 R2+ Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Choose how BitLocker-protected operating system drives can be recovered > Do not enable BitLocker until recovery information is stored in AD DS for operating system drives Do not enable BitLocker until recovery information is stored in AD DS for operating system drives HKLM\Software\Policies\Microsoft\FVE OSRequireActiveDirectoryBackup 1 Windows 7+ Windows Server 2008 R2+ Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives Enabled XTS-AES 256-bit HKLM\Software\Policies\Microsoft\FVE EncryptionMethodWithXtsOs 7 Windows 10 1511+ Windows Server 2016+ Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives Enabled XTS-AES 256-bit HKLM\Software\Policies\Microsoft\FVE EncryptionMethodWithXtsFdv 7 Windows 10 1511+ Windows Server 2016+ No
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives Enabled XTS-AES 256-bit or AES-CBC 256-bit HKLM\Software\Policies\Microsoft\FVE EncryptionMethodWithXtsRdv 4 or 7 Windows 10 1511+ Windows Server 2016+ No
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) > Select encryption method Enabled AES 256-bit HKLM\Software\Policies\Microsoft\FVE EncryptionMethodNoDiffuser 4 Windows 8 - Windows 10 1507 Windows Server 2012 - Windows Server 2012 R2 Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption method Enabled AES 256-bit HKLM\Software\Policies\Microsoft\FVE EncryptionMethod 2 Windows Vista - Windows 7 Windows Server 2008 - Windows Server 2008 R2 Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption Disable new DMA devices when this computer is locked Enabled HKLM\Software\Policies\Microsoft\FVE DisableExternalDMAUnderLock 1 Windows 10 1703+ N/A Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Allow Secure Boot for integrity validation Enabled or Not Configured HKLM\Software\Policies\Microsoft\FVE OSAllowSecureBootForIntegrity or not exist 1 or not exist Windows 8+ Windows Server 2012+ No

PIN related settings

Some environments may desire additional protection provided by a BitLocker startup PIN. The settings are considered optional. The following settings may be configured when this scenario is desired.

View the policies as a CSV which is easier to read than the table below and is also searchable.

Policy Path Policy Name Policy State Policy Value Registry Path Registry Value Name Registry Data Value Applicable Client Applicable Server Required for Applicable OS
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Allow enhanced PINs for startup Enabled HKLM\Software\Policies\Microsoft\FVE UseEnhancedPin 1 Windows 7+ Windows Server 2008 R2+ Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives Configure minimum PIN length for startup Enabled 6 or larger value HKLM\Software\Policies\Microsoft\FVE MinimumPIN 6 or larger Windows 7+ Windows Server 2008 R2+ Yes

Administrators may need to configure BitLocker Network Unlock to ensure systems apply updates without requiring a user be physically present to enter a PIN at system boot.

BitLocker Group Policy

The Microsoft Security Compliance Toolkit contains BitLocker Group Policy Objects (GPO) for each Windows 10 operating system release's Windows Security Baseline. The GPOs can be used to configure and manage domain joined as well as standalone systems.

If using MBAM to configure and manage BitLocker on domain joined systems, then download the Microsoft Desktop Optimization Pack (MDOP) Group Policy templates since they contain the MBAM Group Policy settings.

Importing the BitLocker domain Group Policy

Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker'

Importing the AppLocker local Group Policy

Use Microsoft's LGPO tool to apply the BitLocker Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' -ToolPath '.\LGPO\lgpo.exe'

Common issues

Conflicting BitLocker startup options

  • Issue: Error message: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Error code: 0x8031005B
  • Explanation: The 'Require additional authentication at startup' policy description text can be misleading on how to correctly configure it.
  • Resolution:
    1. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
    2. Change the Require additional authentication at startup policy to configure all 4 dropdown menu options to Allow OR set 1 option to Require and the other 3 options to Do not allow.
    3. Run gpupdate /force from the command line.

Support for pre-boot PIN entry on tablets

  • Issue: Error message: No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. Error code: 0x803100B5
  • Explanation: BitLocker checks if the system is a tablet. If it is a tablet, then BitLocker displays the above error message when trying to use a PIN protector. BitLocker doesn't check if the system supports a pre-boot keyboard. Some tablets may have a BIOS that supports a software keyboard. For example, the Dell Venue 11 Pro, Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with a BIOS software keyboard. Some tablets may have detachable keyboard that works during pre-boot. For example, the Surface Pro 2 with firmware update from March 2014, Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with their detachable keyboards. If the tablet does not support a BIOS software keyboard or a detachable keyboard that works during pre-boot, then configuring the below policy will require a USB keyboard be plugged into the tablet to enter a BitLocker PIN at pre-boot. Contact the OEM to inquire about tablet support for this specific scenario.
  • Resolution:
    1. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
    2. Set the Enable use of BitLocker authentication requiring preboot keyboard input on slates policy to Enabled.
    3. Run gpupdate /force from the command line.

License

See LICENSE.

Contributing

See CONTRIBUTING.

Disclaimer

See DISCLAIMER.

More Repositories

1

Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
HTML
1,538
star
2

WALKOFF

A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
Python
1,191
star
3

goSecure

An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. #nsacyber
Python
971
star
4

Mitigating-Web-Shells

Guidance for mitigation web shells. #nsacyber
YARA
951
star
5

GRASSMARLIN

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Java
910
star
6

Event-Forwarding-Guidance

Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
PowerShell
840
star
7

Hardware-and-Firmware-Security-Guidance

Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance. #nsacyber
C
748
star
8

ELITEWOLF

OT security monitoring #nsacyber
560
star
9

Windows-Event-Log-Messages

Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber
C#
392
star
10

Mitigating-Obsolete-TLS

Guidance for mitigating obsolete Transport Layer Security configurations. #nsacyber
PowerShell
269
star
11

nsacyber.github.io

NSA Cybersecurity. Formerly known as NSA Information Assurance and the Information Assurance Directorate
PowerShell
257
star
12

AppLocker-Guidance

Configuration guidance for implementing application whitelisting with AppLocker. #nsacyber
PowerShell
204
star
13

Pass-the-Hash-Guidance

Configuration guidance for implementing Pass-the-Hash mitigations. #nsacyber
PowerShell
196
star
14

HIRS

Trusted Computing based services supporting TPM provisioning and supply chain validation concepts. #nsacyber
Java
171
star
15

simon-speck

The SIMON and SPECK families of lightweight block ciphers. #nsacyber
167
star
16

unfetter

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework. #nsacyber
163
star
17

Control-Flow-Integrity

A proposed hardware-based method for stopping known memory corruption exploitation techniques. #nsacyber
C
152
star
18

BAM

The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis. #nsacyber
Python
146
star
19

WALKOFF-Apps

WALKOFF-enabled applications. #nsacyber
YARA
141
star
20

Maplesyrup

Assesses CPU security of embedded devices. #nsacyber
C
140
star
21

RandPassGenerator

A command-line utility for generating random passwords, passphrases, and raw keys. #nsacyber
Java
118
star
22

Certificate-Authority-Situational-Awareness

Identifies unexpected and prohibited certificate authority certificates on Windows systems. #nsacyber
PowerShell
107
star
23

netfil

A kernel network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
103
star
24

LOCKLEVEL

A prototype that demonstrates a method for scoring how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
JavaScript
99
star
25

HTTP-Connectivity-Tester

Aids in discovering HTTP and HTTPS connectivity issues. #nsacyber
PowerShell
96
star
26

Splunk-Assessment-of-Mitigation-Implementations

Automatically scores how well Windows systems have implemented some of the top 10 Information Assurance mitigation strategies. #nsacyber
Python
72
star
27

netman

A userland network manager with monitoring and limiting capabilities for macOS. #nsacyber
C
71
star
28

serial2pcap

Converts serial IP data, typically collected from Industrial Control System devices, to the more commonly used Packet Capture (PCAP) format. #nsacyber
Python
65
star
29

PRUNE

Logs key Windows process performance metrics. #nsacyber
C#
62
star
30

paccor

The Platform Attribute Certificate Creator can gather component details, create, sign, and validate the TCG-defined Platform Credential. #nsacyber
Java
53
star
31

Blocking-Outdated-Web-Technologies

Guidance for blocking outdated web technologies. #nsacyber
PowerShell
51
star
32

Detect-CVE-2017-15361-TPM

Detects Windows and Linux systems with enabled Trusted Platform Modules (TPM) vulnerable to CVE-2017-15361. #nsacyber
PowerShell
49
star
33

Driver-Collider

Blocks drivers from loading by using a name collision technique. #nsacyber
C
45
star
34

simon-speck-supercop

Fast implementations of the SIMON and SPECK lightweight block ciphers for the SUPERCOP benchmark toolkit. #nsacyber
C
43
star
35

Cyber-Challenge

Supporting files for cyber challenge exercises. #nsacyber
Jupyter Notebook
39
star
36

Chinese-State-Sponsored-Cyber-Operations-Observed-TTPs

Supporting files for the Chinese State-Sponsored Cyber Operations: Observed TTPs Cybersecurity Advisory. #nsacyber
34
star
37

AtomicWatch

Intel Atom C2000 series discovery tool that parses log files and returns results if a positive match is found. #nsacyber
Python
25
star
38

CodeGov

Creates a code.gov code inventory JSON file based on GitHub repository information. #nsacyber
PowerShell
22
star