18.10.9.2.10 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'

Information

This policy setting allows you to configure whether you can use BitLocker without a Trusted Platform Module (TPM), instead using a password or startup key on a USB flash drive. This policy setting is applied when you turn on BitLocker.

The recommended state for this setting is: Enabled: False (unchecked).

Rationale:

TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.

Impact:

A compatible TPM will be required in order to use BitLocker.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Allow BitLocker without a compatible TPM (requires a password or a startup key on USB flash drive) (unchecked):

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Administrative Templates)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Operating System Drives
Setting Name: Require additional authentication at startup
Configuration: Allow BitLocker without a compatible TPM (requires a password or a startup key on USB flash drive) - Unchecked

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings.

Default Value:

True (checked). (Users can use BitLocker without a compatible TPM by using a password or startup key on a USB flash drive.)

See Also

https://workbench.cisecurity.org/benchmarks/14664