How to get the most out of BitLocker and harden Windows

How to get the most out of BitLocker and harden Windows

BitLocker is the onboard tool for protecting your Windows data with AES encryption. But with the default settings, you’re not even using it to its full potential. Here I’ll show you step by step how to get the most out of it using Group Policy Management (gpedit.msc) and PowerShell. Because with these settings, you can raise BitLocker from “Standard protection” to “Enterprise-level security”. TPM PIN combined, XTS-AES-256, protection against DMA attacks and sensible system optimizations offer you solid all-round protection.

Important: Never save the recovery key on an unencrypted USB stick or other normal data carrier as a txt file, as there is a risk that the key will remain in the file system even after deletion – due to the small size of the file.

We recommend creating a small encrypted container with VeraCrypt (https://www.veracrypt.fr/), for example, and then saving the recovery key in this encrypted container.

1. Customize group policies (gpedit.msc)

1.1 Force additional authentication at startup

Path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Option: “Request additional authentication on startup”
  • Status: Enable
  • Settings:
    • Allow BitLocker without TPM
    • Allow TPM
    • Allow system start PIN for TPM
    • Allow system startup key with TPM
    • Allow boot key and PIN with TPM

Why?
This secures the boot process with an additional PIN or key. Even with physical access, access is only possible with the correct PIN.

1.2 Allow extended PINs

Path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Option: “Allow extended PINs for system drives”
  • Status: Enable

Why?
Longer and more complex PINs increase security enormously. Use letters, numbers and special characters.

1.3 Force drive encryption

Path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Option: “Force drive encryption on operating system drives”
  • Status: Enable
  • Encryption type: Full encryption (not just file encryption)

Why?
Prevents the user from only partially activating BitLocker and thus creating gaps in protection.

1.4 Encryption method and strength

Path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

  • Option: “Set encryption method and encryption strength”
  • Status: Enable
  • Method for operating system/drives: XTS-AES-256 bit (strongest method currently available)
  • Method for removable drives: AES-CBC-256 bit (strongest method currently available)

Why?
AES-256 is currently the best encryption method for maximum data security. By default, only 128 bits are used and not the available 256 bits.

1.5 Activate protection against new DMA devices

Path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

  • Option: “Disable new DMA devices when this computer is locked”
  • Status: Enable

Why: Enable
Protects against attacks via external DMA devices (e.g. Thunderbolt) when locked.

1.6 Overwrite working memory on restart

  • Option: “Prevent overwriting of RAM on restart”
  • Status: Deactivate

Why?

This policy setting removes BitLocker keys from the working memory when the computer is restarted.

2. PowerShell commands for control and fine-tuning

Run the PowerShell as administrator:

# Show TPM status
get-tpm

# BitLocker status for drive C:
Get-BitLockerVolume -MountPoint "C:"

# Display key protectors
Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty KeyProtector

# Display Device Guard info
Get-ComputerInfo | Select-Object DeviceGuard* | Format-List

# Deactivate SMB1 if necessary (security risk)
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

3. Important system optimizations

  • Enable core isolation:
    Windows Security > Device Security > Enable Core Isolation
    Increases protection against attacks at kernel level.
  • Disable fast startup:
    Control Panel > Power Options > Select what happens when power buttons are pressed > Disable fast startup
    Prevents potential security vulnerabilities during startup.
  • Enable sleep mode:
    Power saving settings > Advanced settings
    Use sleep mode instead of “Save energy”.

4. Customize account lockout policy for password security

Path:
Computer configuration > Windows settings > Security settings > Account policies > Account lockout policy

  • Recommendation:
    Set appropriate thresholds for lockout times and number of failed attempts to make brute force attacks more difficult.

Leave a Reply

Your email address will not be published. Required fields are marked *