question

PeteH-6686 avatar image
0 Votes"
PeteH-6686 asked kbates78 commented

Microsoft Windows 10 Bitlocker and FIPS 140-2 compliance

Hello,

We have been unable to obtain a clear answer from Microsoft on this question. Was hoping someone in this community has some insight.

Is Microsoft Bitlocker on a Windows 10 computer FIPS 140-2 compliant out of the box (without any additional system changes)?

Additional color to the question: In the Local Security Policy of Windows 10 (secpol) there is a setting:

Security Settings --> Local Policies --> Security Options --> System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.

Does this policy need to be enabled for Bitlocker to be FIPS 140-2 compliant, or is Bitlocker on it's own FIPS 140-2 compliant without the need to enable this policy?

If you know the answer, can you point me to a document that clearly states this for Windows 10 Enterprise? We have found some documentation but it's old - 2014 and seems to apply to older versions of Windows, not Windows 10.

Thanks,
Pete

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AliceYang-MSFT avatar image
0 Votes"
AliceYang-MSFT answered kbates78 commented

Hi,

BitLocker is FIPS 140-2 validated. Please check the link for more information about FIPS 140-2 Validation.

FIPS 140 compliant is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing can enable FIPS mode. After this policy is enabled, BitLocker will use only FIPS compliant algorithms. BitLocker is FIPS compliant with this policy enabled.

We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.

Please also check this link You shouldn’t enable this setting unless you work in government or need to test how software will behave on government PCs.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


BitLocker on a Windows 10 computer is FIPS 140-2 validated out of the box (without any additional system changes).

The policy need to be enabled for BitLocker to be FIPS 140-2 compliant.

0 Votes 0 ·

Seems that to be compliant does not mean Bitlocker can only use the default XTS-AES 128 approved algorithm but rather a multitude of things including but not limited to key storage (TPM), backup key retrival methods. It also does not look like there has been a 'Validated' Windows Edition since the Windows 10 Fall 2018 Update. So to me it seems like anyone running a Windows 10 version newer than that, which is highly likely since 1809 is currently EOL, would not be in compliance with FIPS 140-2 even if someone took the additional step to enable FIPS mode. Is that correct @AliceYang-MSFT ?

0 Votes 0 ·