Skip to content

BitLocker | Harden System Security

Bitlocker Settings - Harden Windows Security


  • Rotating pink checkmark denoting registry or cmdletBlue Check mark denoting Group Policy The app sets up and configures Bitlocker using official documentation, with the most secure configuration and military grade encryption algorithm, XTS-AES-256, to protect the confidentiality and integrity of all information at rest. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

    • It offers 2 security levels for OS drive encryption: Enhanced and Normal.

    • In Normal security level, the OS drive is encrypted with TPM and Startup PIN. This provides very high security for your data, specially with a PIN that's long, complicated (uppercase and lowercase letters, symbols, numbers, spaces) and isn't the same as your Windows Hello PIN.

    • In Enhanced security level, the OS drive is encrypted with TPM and Startup PIN and Startup key. This provides the highest level of protection by offering Multifactor Authentication. You will need to enter your PIN and also plug in a flash drive, containing a special BitLocker key, into your device in order to unlock it. Continue reading more about it here.

    • Once the OS drive is encrypted, for every other non-OS drive, there will be prompts for confirmation before encrypting it. The encryption will use the same algorithm as the OS drive and uses Auto-unlock key protector. Removable flash drives are skipped.

    • The recovery information of all of the drives are saved in a single well-formatted text file in the root of the OS drive C:\BitLocker-Recovery-Info-All-Drives.txt. It's very important to keep it in a safe and reachable place as soon as possible, e.g., in OneDrive's Personal Vault which requires additional authentication to access. See here and here for more info. You can use it to unlock your drives if you ever forget your PIN, lose your Startup key (USB Flash Drive) or TPM no longer has the correct authorization (E.g., after a firmware change).

    • TPM has special anti-hammering logic which prevents malicious user from guessing the authorization data indefinitely. Microsoft defines that maximum number of failed attempts in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this PowerShell command: Get-TPM.

    • Check out Lock Screen category for more info about the recovery password and the 2nd anti-hammering mechanism.

    • BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:

      • As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. This practice is recommended in High-Risk Environments.

      • Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.


Important

AMD Zen 2 and 3 CPUs have a vulnerability in them, if you use one of them, make sure your Bitlocker Startup PIN is at least 16 characters long (max is 20).



  • Blue Check mark denoting Group Policy Disallows standard (non-Administrator) users from changing the Bitlocker Startup PIN or password Rotating green checkmark denoting CSP CSP



  • Blue Check mark denoting Group Policy (Only on Physical machines) Enables Hibernate and adds Hibernate to Start menu's power options. Rotating green checkmark denoting CSP CSP

    • Devices that support Modern Standby have the most security because (S1-S3) power states which belong to the legacy sleep modes are not available. In Modern Standby, security components remain vigilant and the OS stays protected. Applying Microsoft Security Baselines also automatically disables the legacy (S1-S3) sleep states.



Refer to this official documentation about the countermeasures of Bitlocker