initial import of content from https://www.github.com/iadgov/Secure-H…

…ost-Baseline/BitLocker

CONTRIBUTING.md

@@ -0,0 +1,6 @@
+All contributions to this project will be released as follows:
+
+1. If you are a U.S. government employee, then your changes are exempt from copyright in the U.S. and will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) worldwide.
+1. If you are a not a U.S. government employee, then your changes will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) in the U.S. and worldwide.
+
+By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

DISCLAIMER.md

@@ -0,0 +1,9 @@
+## Disclaimer of Warranty
+This Work is provided "as is." Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Guidance, even if advised of the possibility of such damage.
+
+The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, and infringement or other violations of intellectual property or technical data rights.
+
+Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.
+
+## Disclaimer of Endorsement
+Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.

Group Policy Objects/Computer/policy.json

@@ -0,0 +1,17 @@
+{
+    "PolicyName":  "BitLocker",
+    "PolicyScopes":  [
+                         "Computer"
+                     ],
+    "PolicyTypes":  [
+                        "Domain",
+                        "Local"
+                    ],
+    "PolicyModes":  [
+                        "Audit",
+                        "Enforced"
+                    ],
+    "PolicyTemplatePath":  ".\\..\\..\\..\\Windows\\",
+    "PolicyTemplateType":  "OS",
+    "PolicyTemplateVersion":  "10.0.14393.0"
+}

Group Policy Objects/Computer/{9D614C55-E361-45A1-87CB-09A2B1EED0C4}/Backup.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2508026330-3077189028-2444564301-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[SHB]]></NetBIOSDomainName><DnsDomainName><![CDATA[SHB.GOV]]></DnsDomainName><UPN><![CDATA[Enterprise [email protected]]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2508026330-3077189028-2444564301-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[SHB]]></NetBIOSDomainName><DnsDomainName><![CDATA[SHB.GOV]]></DnsDomainName><UPN><![CDATA[Domain [email protected]]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{87876B88-0C9A-47F2-B61D-627990E9F413}]]></ID><Domain><![CDATA[SHB.GOV]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 da 71 7d 95 a4 2d 6a b7 4d 17 b5 91 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 da 71 7d 95 a4 2d 6a b7 4d 17 b5 91 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 da 71 7d 95 a4 2d 6a b7 4d 17 b5 91 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[BitLocker]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[1114129]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\SRV.SHB.GOV\sysvol\SHB.GOV\Policies\{87876B88-0C9A-47F2-B61D-627990E9F413}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\SRV.SHB.GOV\sysvol\SHB.GOV\Policies\{87876B88-0C9A-47F2-B61D-627990E9F413}\Adm\*.*"/>
+        </GroupPolicyExtension>
+
+
+
+
+
+
+
+
+
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\SRV.SHB.GOV\sysvol\SHB.GOV\Policies\{87876B88-0C9A-47F2-B61D-627990E9F413}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>

Group Policy Objects/Computer/{9D614C55-E361-45A1-87CB-09A2B1EED0C4}/DomainSysvol/GPO/Machine/comment.cmtx

@@ -0,0 +1,24 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.DeviceInstallation"></using>
+    <using prefix="ns1" namespace="Microsoft.Policies.PowerManagement"></using>
+    <using prefix="ns2" namespace="Microsoft.Policies.VolumeEncryption"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate>
+      <comment policyRef="ns0:DeviceInstall_Classes_Deny" commentText="$(resource.ns0_DeviceInstall_Classes_Deny)"></comment>
+      <comment policyRef="ns0:DeviceInstall_IDs_Deny" commentText="$(resource.ns0_DeviceInstall_IDs_Deny)"></comment>
+      <comment policyRef="ns1:AllowStandbyStatesAC_2" commentText="$(resource.ns1_AllowStandbyStatesAC_2)"></comment>
+      <comment policyRef="ns1:AllowStandbyStatesDC_2" commentText="$(resource.ns1_AllowStandbyStatesDC_2)"></comment>
+    </admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable>
+      <string id="ns0_DeviceInstall_Classes_Deny">This GUID is to block the SPB-2 device class (aka Firewire) to prevent DMA attacks on BitLocker</string>
+      <string id="ns0_DeviceInstall_IDs_Deny">This is the device ID for the Thunderbolt controller, blocked to prevent DMA attacks against BitLocker</string>
+      <string id="ns1_AllowStandbyStatesAC_2">Sleep disabled to prevent BitLocker keys from being exposed in memory</string>
+      <string id="ns1_AllowStandbyStatesDC_2">Sleep disabled to prevent BitLocker keys from being exposed in memory</string>
+    </stringTable>
+  </resources>
+</policyComments>

Group Policy Objects/Computer/{9D614C55-E361-45A1-87CB-09A2B1EED0C4}/bkupInfo.xml

@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{87876B88-0C9A-47F2-B61D-627990E9F413}]]></GPOGuid><GPODomain><![CDATA[SHB.GOV]]></GPODomain><GPODomainGuid><![CDATA[{8d113a86-7f83-4ded-9ad7-75122a34cf7e}]]></GPODomainGuid><GPODomainController><![CDATA[SRV.SHB.GOV]]></GPODomainController><BackupTime><![CDATA[2016-03-14T19:35:13]]></BackupTime><ID><![CDATA[{9D614C55-E361-45A1-87CB-09A2B1EED0C4}]]></ID><Comment><![CDATA[BtiLocker]]></Comment><GPODisplayName><![CDATA[BitLocker]]></GPODisplayName></BackupInst>

LICENSE.md

@@ -0,0 +1,3 @@
+This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.
+
+Copyright and Related Rights in the Work worldwide are waived through the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode).

LICENSE.spdx

@@ -0,0 +1,16 @@
+SPDXVersion: SPDX-2.1
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-LICENSE
+DocumentName: LICENSE
+DocumentNamespace: https://github.com/iadgov/BitLocker-Guidance
+Creator: iadgovuser1
+Created: 2018-02-12T11:00:00Z
+PackageName: BitLocker-Guidance
+PackageSupplier: National Security Agency
+PackageDownloadLocation: https://github.com/iadgov/BitLocker-Guidance/archive/master.zip
+PackageLicenseConcluded: CC0-1.0
+PackageHomePage: https://github.com/iadgov/BitLocker-Guidance/
+PackageLicenseDeclared: CC0-1.0
+PackageLicenseComments: This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976. Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.
+PackageCopyrightText: This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976. Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.
+PackageSummary: Configuration guidance for implementing BitLocker.

README.md

@@ -1,2 +1,51 @@
-# BitLocker-Guidance
-Configuration guidance for implementing BitLocker. iadgov
+# Microsoft BitLocker
+
+[Microsoft BitLocker](https://technet.microsoft.com/en-us/library/cc731549.aspx) is a full volume encryption feature built into Windows. BitLocker is intended to protect data on devices that have been lost or stolen. BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and Windows 7 and in the Professional and Enterprise editions of Windows 8 and later. A [Group Policy Object](./Group Policy Objects/Computer/) for BitLocker is included in the SHB. The Group Policy Object contains recommended security settings for BitLocker on Windows 10 Version 1511 and later.
+
+[NIST](http://www.nist.gov/) [FIPS 140-2](http://csrc.nist.gov/groups/STM/cmvp/index.html) validation of Windows 10 BitLocker modules was completed on June 2, 2016 as evidenced in certificate numbers [2601](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2601), [2602](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2602), and [2603](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2603).
+
+A [BitLocker PowerShell module](./Scripts) has been provided to aid in provisioning BitLocker. [Microsoft BitLocker Administration and Monitoring](https://technet.microsoft.com/en-us/windows/hh826072.aspx) is another option for provisioning BitLocker.
+
+## Importing the BitLocker Group Policy
+
+### Importing the BitLocker domain Group Policy
+Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator. 
+
+```
+Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker'
+```
+
+### Importing the AppLocker local Group Policy
+Use Microsoft's LGPO tool to apply the BitLocker Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.
+
+```
+Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' -ToolPath '.\LGPO\lgpo.exe'
+```
+
+## Common issues
+
+### Conflicting BitLocker startup options
+* **Issue**: Error message: *The Group Policy settings for BitLocker startup options are in conflict and cannot be applied*. Error code: 0x8031005B
+* **Explanation**: The 'Require additional authentication at startup' policy description text can be misleading on how to correctly configure it.
+* **Resolution**: 
+    1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**
+    1. Change the **Require additional authentication at startup** policy to configure all 4 dropdown menu options to **Allow** *OR* set 1 option to **Require** and the other 3 options to **Do not allow**.
+    1. Run **gpupdate /force** from the command line.
+
+### Support for pre-boot PIN entry on tablets
+
+* **Issue**: Error message: *No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume*. Error code: 0x803100B5
+* **Explanation**: BitLocker checks if the system is a tablet. If it is a tablet, then BitLocker displays the above error message when trying to use a PIN protector. BitLocker doesn't check if the system supports a pre-boot keyboard. Some tablets may have a BIOS that supports a software keyboard. For example, the [Dell Venue 11 Pro](http://www.dell.com/support/Article/us/en/19/SLN293013/EN), [Surface Pro 3, and Surface Pro 4](https://blogs.technet.microsoft.com/askpfeplat/2014/07/13/bitlocker-pin-on-surface-pro-3-and-other-tablets/) support entering a BitLocker PIN at pre-boot with a BIOS software keyboard. Some tablets may have detachable keyboard that works during pre-boot. For example, the Surface Pro 2 with [firmware update from March 2014](https://www.microsoft.com/surface/en-us/support/install-update-activate/pro-2-history), Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with their detachable keyboards. If the tablet does not support a BIOS software keyboard or a detachable keyboard that works during pre-boot, then configuring the below policy will require a USB keyboard be plugged into the tablet to enter a BitLocker PIN at pre-boot. Contact the OEM to inquire about tablet support for this specific scenario.
+* **Resolution**: 
+    1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**
+    1. Set the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** policy to **Enabled**.
+    1. Run **gpupdate /force** from the command line.
+
+## License
+See [LICENSE](./LICENSE.md).
+
+## Contributing
+See [CONTRIBUTING](./CONTRIBUTING.md).
+
+## Disclaimer
+See [DISCLAIMER](./DISCLAIMER.md).