Detections
Analytics
WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication.
Information
If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.Solution
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives 'Require additional authentication at startup' to 'Enabled' with 'Configure TPM Startup PIN:' set to 'Require startup PIN with TPM' or with 'Configure TPM startup key and PIN:' set to 'Require startup key and PIN with TPM'.See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_10_V3R6_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows 10 STIG v3r6
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-28, 800-53|SC-28(1), CAT|I, CCI|CCI-001199, CCI|CCI-002475, CCI|CCI-002476, Rule-ID|SV-220703r958552_rule, STIG-ID|WN10-00-000031, STIG-Legacy|SV-104689, STIG-Legacy|V-94859, Vuln-ID|V-220703
Plugin: Windows
Control ID: 6cef02f9903d91158b6dbdf29e065e23197d48ca2c0f6ab9b5097b60541eaf2d