1
0
mirror of https://github.com/TommyTran732/Windows-Setup.git synced 2024-11-12 11:11:54 -05:00
Windows-Setup/Group Policies Objects/Bitlocker Drive Encryption.md
Tommy a2ada1ba15
Move Bitlocker to its own GPO
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-30 16:58:55 -07:00

896 B

Bitlocker Drive Encryption

Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption

Choose drive encryption method and cipher strength-> Enable -> XTS-AES 256-bit for operating system, fixed data, and removable drives.

The disable new DMA devices when computer is locked should only be enabled if the specific computer does not support kernel DMA protection.

Operating System Drives

  • Require additional authentication at startup -> Enabled -> Do not allow TPM, Allow startup PIN with TPM, Do not allow startup key with TPM, Allow startup key and PIN with TPM. (This is especially important as we do not want the TPM to automatically release the encryption key at boot.)
  • Allow enhanced PINs for startup -> Enabled.
  • Configure TPM platform validation profile for native UEFI firmware configurations -> Enabled -> PCR 0,1,2,3,3,4,5,6,7,11