18.9.11.3.13 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42'

Information

This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
Note: The 'Choose drive encryption method and cipher strength' policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID). For example:
- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
The recommended state for this setting is: Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42.

Rationale:
From a strict security perspective the hardware-based encryption may offer the same, greater, or less protection than what is provided by BitLocker's software-based encryption depending on how the algorithms and key lengths compare.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:
None - this value is ignored when the checkbox above it (Restrict encryption algorithms and cipher suites allowed for hardware-based encryption) is False (unchecked), as is required in Rule 18.9.11.3.12. If that checkbox is set to True (checked), then the encryption algorithms permitted on removable drives would be restricted to the specified object identifiers (OIDs).

Default Value:
Encryption algorithms and cipher suites are not restricted for hardware-based encryption on removable drives.

References:
1. CCE-35540-4

See Also

https://workbench.cisecurity.org/benchmarks/14249