STIG V-253260 - BitLocker PIN - Windows 11

KD Sec-n-Tech Secure

Introduction:

Welcome to the latest edition of our newsletter, where we provide valuable insights and tips for securing your Windows systems. In this issue, we will focus on the importance of using BitLocker PIN for pre-boot authentication to enhance the security of your Windows 11 systems.

Summary:

BitLocker PIN is a crucial security measure that adds an additional layer of protection to your encrypted drives. It ensures that even if an adversary gains physical access to your system, they cannot bypass operating system controls and access your data. By requiring a PIN during the boot process, unauthorized users are prevented from accessing encrypted drives, safeguarding the confidentiality and integrity of your information.

Importance

Encrypting data at rest is essential for protecting it from unauthorized disclosure. Without encryption, an adversary can directly access non-volatile memory, circumventing operating system controls and compromising data confidentiality. BitLocker PIN serves as a pre-boot authentication mechanism that complements encryption, providing an extra level of security against unauthorized access to your Windows 11 systems.

Exploitation:

Without a BitLocker PIN, your encrypted drives are susceptible to unauthorized access. An attacker with physical access to your system could potentially compromise your sensitive data, even if operating system permissions are in place. By exploiting the absence of pre-boot authentication, they can bypass security measures and gain access to your encrypted drives.

Checking for Compliance:

To verify compliance, ensure that the following registry values are configured as specified:

Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\

Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1)

Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1)

Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1)

Powershell Compliance Check Script:

# Set the vulnerability number
$vulnNumber = "V-253260"

# Set the Working Directory
$WorkingDirectory = "C:\Add\The\Directory\Here"

# Set the file path
$filePath = "$($WorkingDirectory)\$vulnNumber.txt"

# Create or clear the status file
$existingStatusFile = Test-Path $filePath
if (-not $existingStatusFile) {
    New-Item -Path $filePath -ItemType File -Force -Confirm:$false
} else {
    Clear-Content -Path $filePath
}

# Define the vulnerability details
$status = "Open"
$findingDetails = "The required registry values for BitLocker PIN are not configured as specified."
$comments = "Configure the policy value for enabling BitLocker PIN."

$UseAdvancedStartup = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseAdvancedStartup" -ErrorAction SilentlyContinue
$UseTPMPIN = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseTPMPIN" -ErrorAction SilentlyContinue
$UseTPMKeyPIN = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "UseTPMKeyPIN" -ErrorAction SilentlyContinue

$UseAdvancedStartupEV = 1
$UseTPMPINEV = 1
$UseTPMKeyPINEV = 1

if ($UseAdvancedStartup -eq $UseAdvancedStartupEV -and ($UseTPMPIN -eq $UseTPMPINEV -or $UseTPMKeyPIN -eq $UseTPMKeyPINEV)) {
    $status = "NotAFinding"
    $findingDetails = "The required registry values for BitLocker PIN are configured as specified."
    $comments = "Not a finding."
}

# Write the variables to the status file
$status | Set-Content -Path $filePath
$findingDetails | Add-Content -Path $filePath
$comments | Add-Content -Path $filePath

Powershell Compliance Check Script Explanation:

The provided PowerShell script is for conducting a compliance check and recording the status of the vulnerability assessment. It performs the following actions:

  1. Sets the vulnerability number and working directory:

    • $vulnNumber represents the vulnerability ID, which is set to "V-253260".

    • $WorkingDirectory specifies the directory path where the status file will be created.

  2. Sets the file path:

    • $filePath concatenates the working directory with the vulnerability number to create the complete file path for the status file.

  3. Creates or clears the status file:

    • The script checks if the status file already exists by using the Test-Path cmdlet.

    • If the file doesn't exist (-not $existingStatusFile), it creates a new file at the specified path using New-Item.

    • If the file exists, the script clears its content using Clear-Content to ensure a fresh assessment.

  4. Defines the vulnerability details:

    • The script initializes variables to store the status, finding details, and comments related to the vulnerability assessment.

    • $status is set to "Open" initially, indicating that the vulnerability is not yet resolved.

    • $findingDetails describes the current state of the vulnerability, stating that the required registry values for BitLocker PIN are not configured as specified.

    • $comments provides instructions on how to configure the policy value for enabling BitLocker PIN.

  5. Retrieves registry values:

    • The script uses Get-ItemPropertyValue to fetch the current values of the registry entries related to BitLocker PIN from the specified registry path.

    • The retrieved values are stored in variables: $UseAdvancedStartup, $UseTPMPIN, and $UseTPMKeyPIN.

  6. Compares registry values and updates vulnerability status:

    • The script compares the retrieved registry values with the expected values ($UseAdvancedStartupEV, $UseTPMPINEV, and $UseTPMKeyPINEV) that indicate the desired configuration.

    • If the values match, indicating that the required registry values are configured as specified, the vulnerability status is updated to "NotAFinding".

    • The finding details and comments are adjusted accordingly to reflect that the vulnerability is not present.

  7. Writes the variables to the status file:

    • The script uses Set-Content and Add-Content to write the vulnerability status, finding details, and comments to the status file at the specified path.

The script helps automate the compliance check process and records the assessment results in the status file for documentation purposes.

Remediation:

To enable BitLocker PIN and ensure compliance, follow these steps:

  1. Boot into the BIOS (Setup menu) and confirm that the system is in UEFI mode with TPM activated.

  2. Under Post Behavior, verify that Fastboot mode is set to Thorough.

  3. Boot into the operating system and set up BitLocker on the desired drive, initiating the encryption process.

  4. Open the Local Group Policy Editor by launching "gpedit.msc".

  5. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

  6. Double-click on "Require additional authentication at startup" in the right pane to open the configuration window.

  7. Choose the "Enabled" option to activate all the available options.

  8. Uncheck the box for "Allow BitLocker without a compatible TPM".

  9. For "Configure TPM startup", select "Allow TPM".

  10. For "Configure TPM startup PIN:", choose "Require startup PIN with TPM".

  11. For "Configure TPM startup key:", select "Allow startup key with TPM".

  12. For "Configure TPM startup key and PIN:", choose "Allow startup key and PIN with TPM".

  13. Click "Apply" and then "OK" to save the changes in the Group Policy Editor.

  14. Stay under BitLocker Drive Encryption > Operating System Drives.

  15. Double-click on "Enable use of BitLocker Authentication requiring preboot keyboard input on slates" in the right pane.

  16. Choose the "Enabled" option to activate it.

  17. Click "Apply" and then "OK" to save the changes.

  18. Reboot the system to apply the configuration changes.

Powershell Automation Script:

# Set UseAdvancedStartup value
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\" -Name "UseAdvancedStartup" -Value 1

# Set UseTPMPIN value
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\" -Name "UseTPMPIN" -Value 1

# Set UseTPMKeyPIN value
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\" -Name "UseTPMKeyPIN" -Value 1

Powershell Automation Script Explanation:

The provided PowerShell script modifies the necessary registry values to enable BitLocker PIN for pre-boot authentication. It sets the "UseAdvancedStartup," "UseTPMPIN," and "UseTPMKeyPIN" values to 1, ensuring the required configuration for enhanced security.

Closing Note:

Enabling BitLocker for full disk encryption on Windows 11 systems is crucial to protect the confidentiality and integrity of data at rest. By following the provided remediation steps and utilizing the PowerShell script, organizations can enhance the security posture of their Windows 11 Pro and Windows 11 Home systems. Regularly validating compliance with BitLocker encryption requirements ensures a robust security foundation.

Sources:

  1. Microsoft Docs: BitLocker Drive Encryption Overview

  2. Microsoft Docs: BitLocker PIN Overviewww.windowscentral.com/how-enable-bitlocker-encryption-windows-11

Links:

Kingdom Dominion Security & Technology: https://www.kdsecntech.com/

Thank you for reading our episode on enabling BitLocker for full disk encryption on Windows 11 and taking the next step to enhance the confidentiality and integrity of your information at rest. We hope this information has been helpful to you. If you have any further questions or suggestions, please feel free to reach out. Stay safe and secure!

Kingdom Dominion Security & Technology

Reply

or to participate.