This is an automated archive.

The original was posted on /r/privacy by /u/dbzsfreak on 2023-08-06 18:17:20+00:00.


Recently, I came across a post on how to improve the security of Bitlocker with some policy settings. Unfortunately, the post has been deleted since then. As many of you might rely on Bitlocker Protection for your everyday use computers, I thought it would be helpful to share a summary of the post and its policy settings

Open gpedit.msc

Here we go :

  1. Disable hardware-based encryption for better security:- Navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.”- Set “Configure use of hardware-based encryption for [drive type]” to disabled for Fixed Data Drives, Operating System Drives, and Removable Data Drives.
  2. Change the default encryption algorithm:- Navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.”- Set “Choose drive encryption method and cipher strength” as follows:- Operating System Drives: XTS-AES 256-bit- Fixed Data Drives: XTS-AES 256-bit- Removable Data Drives: AES-CBC 256-bit
  3. Disable S1-S3 standby modes:- Under “Computer Configuration\Admin Templates\System\Power Management,” disable “Allow standby states (S1-S3) when sleeping (plugged in)” and “Allow standby states (S1-S3) when sleeping (on battery).”
  4. Block direct memory access (DMA) for hot-pluggable PCI ports until user sign-in:- Set “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked” to enabled.
  5. Enable TPM platform validation (if available):- Navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.”- Configure TPM platform validation profile to “Enabled” with the recommended default configuration (PCRs 0, 2, 4, and 11).
  6. ACTIVATE BITLOCKER NOW AFTER STEP 5, THEN PROCEED
  7. Configure additional authentication at startup (TPM PIN and/or startup key):- Set “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup.”- Choose the desired options for TPM startup and PIN/authentication key configuration:- For the choice of “Configure TPM startup:”, choose “Allow TPM.”- For the choice of “Configure TPM startup PIN:”, choose “Require startup PIN with TPM.”- For the choice of “Configure TPM startup key:”, choose “Allow startup key with TPM.”- For the choice of “Configure TPM startup key and PIN:”, choose “Allow startup key and PIN with TPM.”
  8. Enable enhanced PINs (optional):- Navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup.”- Change the PIN length by running “manage-bde -protectors -add c: -TPMAndPIN” in an elevated command prompt or PowerShell window.
  9. Run “gpupdate /force” to apply the group policy changes.

If anyone has questions, please let them down in the comments or just look them up. Every setting mentioned here is explained online.