Windows 10: rate my BitLocker config

Discus and support rate my BitLocker config in AntiVirus, Firewalls and System Security to solve the problem; I have a new Dell Precision 7530 laptop that I am configuring. One of my first steps is setting up full drive encryption on it. I decided to go with... Discussion in 'AntiVirus, Firewalls and System Security' started by up2trix, Jan 16, 2019.

  1. up2trix Win User

    rate my BitLocker config


    I have a new Dell Precision 7530 laptop that I am configuring. One of my first steps is setting up full drive encryption on it.

    I decided to go with BitLocker, as opposed to Veracrypt, because it should integrate better with the firmware. In particular, I have verified that my BIOS settings are configured to enable SecureBoot and to only boot using UEFI (no legacy). Veracrypt has until recently been problematic in this case.

    Since I am new to BitLocker, I had a lot of education to do.

    I found BitLocker to be complicated. I especially do not like that the out of the box wizard hides way too many choices that I think are critical, and some of the default choices are wrong.

    I found that I had to learn about Group Policies and really go thru all the BitLocker ones to come up with choices that meet my security needs.

    The first part of my post below, therefore, is all the Group Policy changes that I made before I did the BitLocker encryption. The actual encryption was then so straightforward that I have nothing to report. The last part of my post are the critical links that document some of my choices.

    I am posting this both as a service to others as well as to solicit critical feedback from anyone who is a BitLocker expert.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Group Policy settings. The 6 sections below each start with the parent Group Policy path, then indented are the final names followed by the setting I used and perhaps my comment.

    Code: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 8... AES 256-bit; is best security choice Choose drive encryption method and cipher strength (Windows 10... XTS-AES 256-bit for all drive types; ditto Choose drive encryption method and cipher strength (Windows Vista... AES 256-bit; ditto Disable new DMA devices when this computer is locked Enabled; see DMA protection below Prevent memory overwrite on restart Disabled; you WANT memory overwrite on restart Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives Configure use of hardware-based encryption for fixed data drives Disabled; see software encryption below Enforce drive encryption type on fixed data drives Enabled then select Full encryption; immediately achieves top security, "free" disk space could have remnants of deleted files Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN Disabled; sounds insecure Allow enhanced PINs for startup Enabled; want to allow the user to enter a normal password (i.e. one with arbitrary characters) for the PIN Allow network unlock at startup Disabled; sounds insecure, and is a feature only needed by an enterprise Allow Secure Boot for integrity validation Enabled Configure use of hardware-based encryption for operating system drives Disabled; see software encryption below Enforce drive encryption type on operating system drives Enabled then select Full encryption; immediately achieves top security, "free" disk space could have remnants of deleted files Require additional authentication at startup Enabled, then Allow all except "Do Not Allow TPM" Require additional authentication at startup (Windows Server 2008... Enabled, then Allow all Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives Configure use of hardware-based encryption for removable data drives Disabled; see software encryption below Enforce drive encryption type on removable data drives Enabled then select Full encryption; immediately achieves top security, "free" disk space could have remnants of deleted files Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings Allow standby states (S1-S3) when sleeping (plugged in) Disabled; see power settings for top security below Allow standby states (S1-S3) when sleeping (on battery) Disabled; ditto Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer Show hibernate in the power options menu Enabled; see power settings for top security below[/quote] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Links


    --DMA protection and power settings for top security:
    Additional DMA security may be added by deploying [Group] policy...Disable new DMA devices when this computer is locked (This setting is not configured by default.)
    https://docs.microsoft.com/en-us/win...ountermeasures


    --FORCE BitLocker to use software encryption:
    Flaws in self-encrypting SSDs let attackers bypass disk encryption
    https://www.zdnet.com/article/flaws-...sk-encryption/
    --use Secure Boot for integrity validation:
    https://docs.microsoft.com/en-us/win...-and-bitlocker
    --"TPM with PIN" achieves top security (at the inconvenience of having to enter another password at boot):
    https://docs.microsoft.com/en-us/win...ountermeasures
    --Windows 10 security settings:
    Hardening Microsoft Windows 10 version 1709 Workstations
    https://acsc.gov.au/publications/pro...ning-win10.htm
    Has a section on BitLocker configuration

    :)
     
    up2trix, Jan 16, 2019
    #1
  2. Paola Gar Win User

    Need to turn off Bitlocker to install Windows 10

    Hi,

    We suggest doing the following steps again to resolve the issue. To complete the procedure, make sure that you have the following information:

    • You must be able to provide administrative credentials.
    • The drive must be BitLocker-protected.
    To suspend BitLocker Drive Encryption on an operating system drive, please follow the steps below:

    • Click Start, click Control Panel, click
      System and Security, and then click BitLocker Drive Encryption.
    • Click Suspend Protection for the operating system drive.
    • A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption.
    • Click Yes to continue and suspend BitLocker on the drive.

    Let us know how it goes.
     
    Paola Gar, Jan 16, 2019
    #2
  3. Ernie San Win User
    Bitlocker

    Hello Nandana,

    To enable BitLocker on your computer, you follow the steps below:

    • Sign in to your Windows account with an administrator access.
    • Press the Windows key.
    • Type and enter BitLocker.
    • Click Turn on BitLocker.
    • If the system is asking to sing in to administrator access, please do so.
    For additional information about BitLocker, we suggest that you check the frequently ask question on this
    link. The link provided applies to Windows 8.1 to higher version.

    If you have other concerns, don't hesitate to reach us.
     
    Ernie San, Jan 16, 2019
    #3
  4. rate my BitLocker config

    BitLocker Encrypted Hard Drive to MAC

    Hi,



    Thank you for posting your query in Microsoft Community. I regret the inconvenience caused to you. Let me help you.



    I suggest you to perform below mentioned steps to disable BitLocker.

    To disable BitLocker I would suggest you try the following steps and see if it helps.


    • Press Windows key + X and click on
      Control Panel.

    • Change View by from Category
      to Large Icons/Small Icons.

    • Click on BitLocker Drive Encryption and click on
      Turn BitLocker Off.

    • Follow on screen instructions. Click on Decrypt the Drive
      when the message appears.
    I would suggest you click on the link below and refer the following article.

    Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)

    Scenario 12: Turning Off BitLocker Drive Encryption (Windows 7)

    (You can refer the steps in the above link as they are applicable for Windows 10 as well)



    Check if it helps.



    I hope the information helps. Please keep us posted on the issue. We will be happy to assist you accordingly.

    Thank you.
     
    Aswin_Anand, Jan 16, 2019
    #4
Thema:

rate my BitLocker config

Loading...
  1. rate my BitLocker config - Similar Threads - rate BitLocker config

  2. CONFIG

    in Windows 10 Gaming
    CONFIG: After i check to HIDE all MS services do i click disable all then applyThank youTIMMY 2 TOES https://answers.microsoft.com/en-us/windows/forum/all/config/eb829b6f-6634-40f3-b961-dd5d5730d6b4
  3. CONFIG

    in Windows 10 Software and Apps
    CONFIG: After i check to HIDE all MS services do i click disable all then applyThank youTIMMY 2 TOES https://answers.microsoft.com/en-us/windows/forum/all/config/eb829b6f-6634-40f3-b961-dd5d5730d6b4
  4. CONFIG

    in Windows 10 BSOD Crashes and Debugging
    CONFIG: After i check to HIDE all MS services do i click disable all then applyThank youTIMMY 2 TOES https://answers.microsoft.com/en-us/windows/forum/all/config/eb829b6f-6634-40f3-b961-dd5d5730d6b4
  5. Lost my WSL config

    in Windows 10 Network and Sharing
    Lost my WSL config: Hey guys, I just upgraded my windows to version 2004 but when i tried to replace my WSL 1 to WSL 2, i somehow lost my WSL 1's files, folders, configs and all other stuff. i was wondering if theres any way to get recover those files because those files are really important...
  6. Windows config

    in Windows 10 Ask Insider
    Windows config: Hi I accidentally disabled everything in msconfig and I can log into my laptop anymore. I have tried safe mode but I still cannot log in. Please help submitted by /u/AnimeTwiddles [link] [comments] https://www.reddit.com/r/Windows10/comments/fclefh/windows_config/
  7. Boot config

    in Windows 10 Support
    Boot config: I use to ave XP and 7 with a simple thing at boot that gives you ten seconds to press a button to enter into safemode, dose 10 have anything like it? MSconfig is not ringing any bells. Only reason I ask I hate how safemode is setup in 10 and when I want it tis not goign...
  8. How to config WDS in a way that bitlocker network unlock work properly?

    in AntiVirus, Firewalls and System Security
    How to config WDS in a way that bitlocker network unlock work properly?: Hi Pals, I have client system with UEFI enabled dhcp, system drive encrypted with PIN+TPM and network protector certificate is deployed! At boot time, valid ip obtained by dhcp but no drive key acquired! and bit-locker blue screen appeared to enter key manually! any one...
  9. Configer my file explorer!!!

    in Windows 10 Network and Sharing
    Configer my file explorer!!!: When ever I open my pc, (windows 10) file explorer (quick access) always open by defaults. Thought I am not open it. How I could solve this problem? Please Help me!!!...
  10. disinfection + my config + anaamfuw intro

    in AntiVirus, Firewalls and System Security
    disinfection + my config + anaamfuw intro: Hi all, i'm , 29 years old, and, in my camera, if i put the 128 Gb micro sd card, i have sometimes a "database error" on screen of my camera, and now my config: pc 1: Samsung galaxy book (pc-tablet) W10 x64 128 Gb storage Antivirus: ad-aware total security...