Home

Awesome

BitLocker Guidance

About Microsoft BitLocker

Microsoft BitLocker is a full volume encryption feature built into Windows. BitLocker is intended to protect data on devices that have been lost or stolen. BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and Windows 7, in the Professional and Enterprise editions of Windows 8/8.1, and in the Pro, Enterprise, and Education editions of Windows 10. BitLocker is also included in the Windows Server releases of Windows since Window Server 2008.

The Windows 10 BitLocker modules have been validated against NIST FIPS 140-2 program multiple times:

About this repository

This repository hosts Group Policy Objects, compliance checks, and configuration tools in support of implementing BitLocker.

A BitLocker PowerShell module has been provided to aid in provisioning BitLocker on standalone systems. Group Policy and Microsoft SCCM 1910 CB can be used for provisioning BitLocker on domain joined systems.

BitLocker settings

NSA Cybersecurity recommends using the newest BitLocker settings in the Microsoft Windows Security Baseline, available in the Security Compliance Toolkit, with the following modifications:

General settings

View the policies as a CSV which is easier to read than the table below and is also searchable.

Policy PathPolicy NamePolicy StatePolicy ValueRegistry PathRegistry Value NameRegistry Data ValueApplicable ClientApplicable ServerRequired for Applicable OS
Computer Configuration > System > Device Installation > Device Installation RestrictionsPrevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs:EnabledPCI\CC_0C0AHKLM\Software\Policies\Microsoft\Windows\DeviceInstall\RestrictionsDenyDeviceIDs1Windows Vista+Windows Server 2008+Yes
Computer Configuration > System > Device Installation > Device Installation RestrictionsPrevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs:EnabledHKLM\Software\Policies\Microsoft\Windows\DeviceInstall\RestrictionsDenyDeviceIDsRetroactive1Windows Vista+Windows Server 2008+Yes
Computer Configuration > System > Device Installation > Device Installation RestrictionsPrevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes:Enabled{d48179be-ec20-11d1-b6b8-00c04fa372a7}HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\RestrictionsDenyDeviceClasses1Windows Vista+Windows Server 2008+Yes
Computer Configuration > System > Device Installation > Device Installation RestrictionsPrevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes:EnabledHKLM\Software\Policies\Microsoft\Windows\DeviceInstall\RestrictionsDenyDeviceClassesRetroactive1Windows Vista+Windows Server 2008+Yes
Computer Configuration > System > Power Management > Sleep SettingsAllow standby states (S1-S3) when sleeping (on battery)DisabledHKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546abDCSettingIndex0Windows Vista+Windows Server 2008+Yes
Computer Configuration > System > Power Management > Sleep SettingsAllow standby states (S1-S3) when sleeping (plugged in)DisabledHKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546abACSettingIndex0Windows Vista+Windows Server 2008+Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesChoose how BitLocker-protected operating system drives can be recoveredEnabledHKLM\Software\Policies\Microsoft\FVEOSRecovery1Windows 7+Windows Server 2008 R2+Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesChoose how BitLocker-protected operating system drives can be recovered > Save BitLocker recovery information to AD DS for operating system drivesSave BitLocker recovery information to AD DS for operating system drivesHKLM\Software\Policies\Microsoft\FVEOSActiveDirectoryBackup1Windows 7+Windows Server 2008 R2+Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesChoose how BitLocker-protected operating system drives can be recovered > Configure storage of BitLocker recovery information to AD DSStore recovery passwords and key packagesHKLM\Software\Policies\Microsoft\FVEOSActiveDirectoryInfoToStore1Windows 7+Windows Server 2008 R2+Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesChoose how BitLocker-protected operating system drives can be recovered > Do not enable BitLocker until recovery information is stored in AD DS for operating system drivesDo not enable BitLocker until recovery information is stored in AD DS for operating system drivesHKLM\Software\Policies\Microsoft\FVEOSRequireActiveDirectoryBackup1Windows 7+Windows Server 2008 R2+Yes (domain joined systems only)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drivesEnabledXTS-AES 256-bitHKLM\Software\Policies\Microsoft\FVEEncryptionMethodWithXtsOs7Windows 10 1511+Windows Server 2016+Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drivesEnabledXTS-AES 256-bitHKLM\Software\Policies\Microsoft\FVEEncryptionMethodWithXtsFdv7Windows 10 1511+Windows Server 2016+No
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drivesEnabledXTS-AES 256-bit or AES-CBC 256-bitHKLM\Software\Policies\Microsoft\FVEEncryptionMethodWithXtsRdv4 or 7Windows 10 1511+Windows Server 2016+No
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) > Select encryption methodEnabledAES 256-bitHKLM\Software\Policies\Microsoft\FVEEncryptionMethodNoDiffuser4Windows 8 - Windows 10 1507Windows Server 2012 - Windows Server 2012 R2Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionChoose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption methodEnabledAES 256-bitHKLM\Software\Policies\Microsoft\FVEEncryptionMethod2Windows Vista - Windows 7Windows Server 2008 - Windows Server 2008 R2Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive EncryptionDisable new DMA devices when this computer is lockedEnabledHKLM\Software\Policies\Microsoft\FVEDisableExternalDMAUnderLock1Windows 10 1703+N/AYes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesAllow Secure Boot for integrity validationEnabled or Not ConfiguredHKLM\Software\Policies\Microsoft\FVEOSAllowSecureBootForIntegrity or not exist1 or not existWindows 8+Windows Server 2012+No

PIN related settings

Some environments may desire additional protection provided by a BitLocker startup PIN. The settings are considered optional. The following settings may be configured when this scenario is desired.

View the policies as a CSV which is easier to read than the table below and is also searchable.

Policy PathPolicy NamePolicy StatePolicy ValueRegistry PathRegistry Value NameRegistry Data ValueApplicable ClientApplicable ServerRequired for Applicable OS
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesAllow enhanced PINs for startupEnabledHKLM\Software\Policies\Microsoft\FVEUseEnhancedPin1Windows 7+Windows Server 2008 R2+Yes
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System DrivesConfigure minimum PIN length for startupEnabled6 or larger valueHKLM\Software\Policies\Microsoft\FVEMinimumPIN6 or largerWindows 7+Windows Server 2008 R2+Yes

Administrators may need to configure BitLocker Network Unlock to ensure systems apply updates without requiring a user be physically present to enter a PIN at system boot.

BitLocker Group Policy

The Microsoft Security Compliance Toolkit contains BitLocker Group Policy Objects (GPO) for each Windows 10 operating system release's Windows Security Baseline. The GPOs can be used to configure and manage domain joined as well as standalone systems.

If using MBAM to configure and manage BitLocker on domain joined systems, then download the Microsoft Desktop Optimization Pack (MDOP) Group Policy templates since they contain the MBAM Group Policy settings.

Importing the BitLocker domain Group Policy

Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker'

Importing the AppLocker local Group Policy

Use Microsoft's LGPO tool to apply the BitLocker Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' -ToolPath '.\LGPO\lgpo.exe'

Common issues

Conflicting BitLocker startup options

Support for pre-boot PIN entry on tablets

License

See LICENSE.

Contributing

See CONTRIBUTING.

Disclaimer

See DISCLAIMER.