IBP - DfB - Windows - BitLocker (OS)

✅ Enforce operating system disk encryption using BitLocker on all Windows devices, meeting Essential Eight – Maturity Level 1 requirements.

➡️ This ensures all devices protect data at rest using strong, enterprise‑grade encryption.

✅ Devices: All Windows 10/11 devices
🚫 Exclusions: None

➡️ Every enrolled Windows device must encrypt the operating system drive.

✅ Disk: Operating system (OS) drive
✅ Encryption strength: XTS‑AES 256‑bit
✅ Hardware protection: TPM‑based startup authentication

➡️ If a device is lost or stolen, data on the OS drive remains unreadable.

✅ BitLocker is required on the OS drive
✅ TPM is mandatory for startup authentication
✅ Insecure startup methods are blocked:

✅ Recovery information is:

➡️ Encryption is enforced consistently and safely across all devices.

ℹ️ Note: A restart is required to enable TPM and begin encryption when the policy is applied.

🚫 Fixed drive encryption enforcement
🚫 Removable drive encryption enforcement
🚫 Attack Surface Reduction (ASR) rules
🚫 Defender antivirus hardening
🚫 Firewall or network security controls
🚫 Credential Guard or VBS

➡️ This separation is intentional for Maturity Level 1, keeping the policy focused purely on disk encryption.

✅ Enabled
✅ Actively enforcing OS disk encryption

✅ Meets Essential Eight – Data at Rest Protection (Maturity Level 1)
✅ All operating system drives are encrypted
ℹ️ Encryption of additional drives and advanced startup protections are addressed in Maturity Levels 2 and 3

This configuration policy ensures that:

✅ Every Windows device
✅ Encrypts its operating system drive
✅ Using strong, TPM‑protected BitLocker encryption

This establishes the minimum encryption baseline required by Essential Eight Maturity Level 1, protecting organisational data if devices are lost, stolen, or decommissioned, while providing a clean foundation for stronger protections in higher maturity levels.