18.9.11.4 Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled: XTS-AES 256-bit' - EncryptionMethodWithXtsFdv

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows 10 Release 1511 and newer.

The recommended state for this setting is Enabled: XTS-AES 256-bit (for operating system drives) XTS-AES 256-bit (for fixed data drives) AES-CBC 256-bit (for removable data drives)

Rationale:

The use of the AES 128-bit encryption method is likely to be strong enough for the majority of applications, but those requiring the highest level of security may find this setting suboptimal.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: XTS-AES 256-bit (for operating system drives) XTS-AES 256-bit (for fixed data drives) AES-CBC 256-bit (for removable data drives)

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).

Impact:

Using XTS-AES 256-bit will not significantly impact initial encryption speed and overall computer performance in most cases. AES-CBC is preferred for removable data drives to allow interoperability with older OS versions.

Default Value:

Disabled. (BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script.)

See Also

https://workbench.cisecurity.org/files/2550