CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' (Scored) 848 18.9.11.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating systemdrives' is set to 'Enabled' (Scored) ....................................................... 851 18.9.11.2.12 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' (Scored)................ 854 18.9.11.2.13 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' (Scored) .......................... 856 18.9.11.2.14 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' (Scored) ................................................................................................................................................... 859 18.9.11.2.15 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' (Scored) ............................................................................................ 862 18.9.11.2.16 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' (Scored) .............................................................................................................................. 864 18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' (Scored) ............... 867 18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' (Scored) ................... 869 18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' (Scored) ............................................................................... 872 18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' (Scored) ........ 875 18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' (Scored) ........................................................................................................ 878 18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' (Scored) ................................................................................................................................................... 880 18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' (Scored) .................................................................................................................. 883

28 | P a g e