BitLocker Guidance

About Microsoft BitLocker

Microsoft BitLocker is a full volume encryption feature built into Windows. BitLocker is intended to protect data on devices that have been lost or stolen. BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and Windows 7, in the Professional and Enterprise editions of Windows 8/8.1, and in the Pro, Enterprise, and Education editions of Windows 10. BitLocker is also included in the Windows Server releases of Windows since Window Server 2008.

The Windows 10 BitLocker modules have been validated against NIST FIPS 140-2 program multiple times:

• June 2, 2016 certificate numbers 2601, 2602, and 2603.
• August 26, 2016 certificate numbers 2701, 2702, 2703.
• January 26, 2017 certificate numbers 2932, 2933, and 2934.

About this repository

This repository hosts Group Policy Objects, compliance checks, and configuration tools in support of implementing BitLocker.

A BitLocker PowerShell module has been provided to aid in provisioning BitLocker on standalone systems. Group Policy and Microsoft SCCM 1910 CB can be used for provisioning BitLocker on domain joined systems.

BitLocker settings

NSA Cybersecurity recommends using the newest BitLocker settings in the Microsoft Windows Security Baseline, available in the Security Compliance Toolkit, with the following modifications:

• The Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives policy under can be set to XTS-AES 256-bit or AES-CBC 256-bit instead of just AES-CBC 256-bit. AES-CBC 256-bit is allowed so operating system releases before Windows 10 1511 will be able read the encrypted media.
• The Deny write access to removable drives not protected by BitLocker policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives can be set to Not Configured instead of Enabled. BitLocker is not used for Data Loss Prevention in DoD.
• The Configure minimum PIN length for startup policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives can be set to 6 or higher instead of 7. A value of 6 aligns with the Mobile Device Fundamentals Protection Profile.
• The Disable new DMA devices when this computer is locked policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption can be set to Enabled or Not Configured. This policy has known issues that may lead to certain built-in devices (network, audio, etc) not working, or a slow system boot, in Windows 10 1709.
• Any settings that reinforce default behaviors are considered optional for configuration:
  • Allow Secure Boot for integrity validation policy under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives can be set to Enabled or Not Configured.
• PIN settings are only required when a startup PIN is desired.

General settings

View the policies as a CSV which is easier to read than the table below and is also searchable.

PIN related settings

Some environments may desire additional protection provided by a BitLocker startup PIN. The settings are considered optional. The following settings may be configured when this scenario is desired.

View the policies as a CSV which is easier to read than the table below and is also searchable.

Administrators may need to configure BitLocker Network Unlock to ensure systems apply updates without requiring a user be physically present to enter a PIN at system boot.

BitLocker Group Policy

The Microsoft Security Compliance Toolkit contains BitLocker Group Policy Objects (GPO) for each Windows 10 operating system release's Windows Security Baseline. The GPOs can be used to configure and manage domain joined as well as standalone systems.

If using MBAM to configure and manage BitLocker on domain joined systems, then download the Microsoft Desktop Optimization Pack (MDOP) Group Policy templates since they contain the MBAM Group Policy settings.

Importing the BitLocker domain Group Policy

Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker'

Importing the AppLocker local Group Policy

Use Microsoft's LGPO tool to apply the BitLocker Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' -ToolPath '.\LGPO\lgpo.exe'

Common issues

Conflicting BitLocker startup options

• Issue: Error message: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Error code: 0x8031005B
• Explanation: The 'Require additional authentication at startup' policy description text can be misleading on how to correctly configure it.
• Resolution:
  1. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
  2. Change the Require additional authentication at startup policy to configure all 4 dropdown menu options to Allow OR set 1 option to Require and the other 3 options to Do not allow.
  3. Run gpupdate /force from the command line.

Support for pre-boot PIN entry on tablets

• Issue: Error message: No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume. Error code: 0x803100B5
• Explanation: BitLocker checks if the system is a tablet. If it is a tablet, then BitLocker displays the above error message when trying to use a PIN protector. BitLocker doesn't check if the system supports a pre-boot keyboard. Some tablets may have a BIOS that supports a software keyboard. For example, the Dell Venue 11 Pro, Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with a BIOS software keyboard. Some tablets may have detachable keyboard that works during pre-boot. For example, the Surface Pro 2 with firmware update from March 2014, Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with their detachable keyboards. If the tablet does not support a BIOS software keyboard or a detachable keyboard that works during pre-boot, then configuring the below policy will require a USB keyboard be plugged into the tablet to enter a BitLocker PIN at pre-boot. Contact the OEM to inquire about tablet support for this specific scenario.
• Resolution:
  1. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
  2. Set the Enable use of BitLocker authentication requiring preboot keyboard input on slates policy to Enabled.
  3. Run gpupdate /force from the command line.

License

See LICENSE.

Contributing

See CONTRIBUTING.

Disclaimer

See DISCLAIMER.