18.10.9.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'

Information

This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.

Secure Boot requires a system that meets the UEFI 2.3.1 Specifications for Class 2 and Class 3 computers.

When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the 'Use enhanced Boot Configuration Data validation profile' group policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.

Note: If the group policy setting 'Configure TPM platform validation profile for native UEFI firmware configurations' is enabled and has PCR 7 omitted, BitLocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

The recommended state for this setting is: Enabled

Secure Boot ensures that only firmware digitally signed by authorized software publishers is loaded during computer startup, which reduces the risk of rootkits and other types of malware from gaining control of the system. It also helps provide protection against malicious users booting from an alternate operating system.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow Secure Boot for integrity validation

Note: This Group Policy path is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17603

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: 74b1186e2b7e18a5e2b3507796827c5cfed449285c50089a89a3defc875736ce