18.9.11.2.17 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'

Information

This policy setting allows you to configure whether you can use BitLocker without a Trusted Platform Module (TPM), instead using a password or startup key on a USB flash drive. This policy setting is applied when you turn on BitLocker.
The recommended state for this setting is: Enabled: False (unchecked).

Rationale:

TPM without use of a PIN will only validate early boot components and does not require a user to enter any additional authentication information. If a computer is lost or stolen in this configuration, BitLocker will not provide any additional measure of protection beyond what is provided by native Windows authentication unless the early boot components are tampered with or the encrypted drive is removed from the machine.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: False (unchecked):
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup: Allow BitLocker without a compatible TPM

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:

A compatible TPM will be required in order to use BitLocker.

See Also

https://workbench.cisecurity.org/files/2458

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5, 800-53|SC-28, CCE|CCE-33103-3, CSCv6|16.11

Plugin: Windows

Control ID: 9db5c9f2dcf145d9d85d25925253827e49bcfe0e065cac92e0fa6ecf2fd7c0d3