|
Microsoft Windows Common Criteria Evaluation Microsoft Windows 10
|
bet | 22/60 | Sana | 04.01.2022 | Hajmi | 298.26 Kb. | | #4840 |
If volume encryption is enabled on the TOE, then the MDM solution can configure AES-256 as the default encryption to be used when a device is BitLockered. See the MDM solution documentation for detailed configuration actions.
Windows 10
The following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:
Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx
By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 10 (Anniversary Update) – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.
To enable the TPM and Enhanced PIN authorization factors execute the following command:
Manage-bde –on : -tpmandpin -encryptionMethod aes256
A USB keyboard is necessary to enter the Enhanced PIN to unlock the drive at boot on some devices.
The following is a link to BitLocker Policy settings:
https://technet.microsoft.com/en-us/library/jj679890.aspx
Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:
Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup
Other BitLocker policies that must be enabled to use the TPM and Enhanced PIN authenticator are:
Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Enable use of BitLocker authentication requiring preboot keyboard input on slates
Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Require additional authentication at startup
|
| |