Details
18.9.11.2.13 Ensure ‘Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available’ is set to ‘Enabled: True’
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
The recommended state for this setting is: Enabled: True (checked).
Rationale:
From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker’s software-based encryption depending on how the algorithms and key lengths compare.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: True (checked):
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesConfigure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available
Impact:
None – this is the default configuration.
Default Value:
If hardware-based encryption is not available on the operating system drive, BitLocker software-based encryption will be used instead.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.