2023-11-06 09:07:29 -05:00
# Bitlocker Drive Encryption
2023-11-07 02:21:23 -05:00
`Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption`
2023-11-06 09:07:29 -05:00
2023-12-30 18:58:55 -05:00
Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives.
2023-11-06 09:07:29 -05:00
2023-12-30 18:58:55 -05:00
**The disable new DMA devices when computer is locked should only be enabled if the specific computer does not support kernel DMA protection.**
2023-11-14 16:18:42 -05:00
2023-11-06 09:07:29 -05:00
## Operating System Drives
2023-11-06 10:12:37 -05:00
- Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (**This is especially important as we do not want the TPM to automatically release the encryption key at boot.**)
2023-11-20 17:41:38 -05:00
- Allow enhanced PINs for startup -> Enabled.
2023-11-20 17:46:33 -05:00
- Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11
