18.9.11.2.12 Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True'

Information

This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
The recommended state for this setting is: Enabled: True (checked).

Rationale:

From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker's software-based encryption depending on how the algorithms and key lengths compare.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: True (checked):
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/files/2458

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CCE|CCE-33167-8, CSCv6|13.2, CSCv7|13.6

Plugin: Windows

Control ID: 2b3304a3c0193149a939b1af4e4dfcd0187a40973f47c09c7fdb55a4307f9608