[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-41901-0

Platform: win10Date: (C)2016-09-23   (M)2022-10-10



Disable: 'Require additional authentication at startup' for UseAdvancedStartup This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode a USB drive is required for start-up and the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. Counter Measure: The use of a PIN in addition to TPM enhances the security of the solution since it requires the user to enter the correct PIN in order for the boot process to continue and the computer to be unlocked. BitLocker achieves this by effectively blocking the boot process until the correct PIN is entered. Potential Impact: A PIN requires physical presence to restart the computer. This functionality is not compatible with Wake on LAN solutions.


Parameter:


Technical Mechanism:

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup,EnableBDEWithNoTPM,UseTPMKeyPIN,UseTPMKey,UseTPMPIN,UseTPM

CCSS Severity:CCSS Metrics:
CCSS Score : Attack Vector:
Exploit Score: Attack Complexity:
Impact Score: Privileges Required:
Severity: User Interaction:
Vector: Scope:
 Confidentiality:
 Integrity:
 Availability:
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:35037
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:35037
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:35037


OVAL    1
oval:org.secpod.oval:def:35037
XCCDF    2
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10

© SecPod Technologies