BitLocker provides support for device encryption on x86 and
x64-based computers with a TPM that supports connected stand-by.
Previously this form of encryption was only available on Windows RT
devices.
Device encryption helps protect data on your Windows PC. It helps block malicious users from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would. Device encryption protects the operating system drive and any fixed data drives on the system using AES 128-bit encryption. Device encryption can be used with either a Microsoft Account or a domain account. To support device encryption, the system must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems. The prerequisites are listed in the following sections:
Device encryption helps protect data on your Windows PC. It helps block malicious users from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would. Device encryption protects the operating system drive and any fixed data drives on the system using AES 128-bit encryption. Device encryption can be used with either a Microsoft Account or a domain account. To support device encryption, the system must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems. The prerequisites are listed in the following sections:
-
System.Fundamentals.Security.DeviceEncryption - General device encryption requirements.
-
System.Fundamentals – Connected standby systems requirements.
-
System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby- Requirements for TPM 2.0 and Secure Boot for connect standby systems.
-
When a clean install of Windows 8.1 is completed the computer
is prepared for first use. As part of this preparation, device
encryption is initialized on the operating system drive and fixed data
drives on the computer with a clear key (this is the equivalent of
standard BitLocker suspended state).
-
If the device is not domain-joined a Microsoft Account that has
been granted administrative privileges on the device is required. When
the administrator uses a Microsoft account to sign in, the clear key is
removed, a recovery key is uploaded to online Microsoft account and TPM
protector is created. Should a device require the recovery key, the user
will be guided to use an alternate device and navigate to a recovery
key access URL to retrieve the recovery key using their Microsoft
Account credentials.
-
If the user signs in using a domain account, the clear key is
not removed until the user joins the device to a domain (on x86/x64
platforms) and the recovery key is successfully backed up to Active
Directory Domain Services. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
should be selected. With this configuration the recovery password will
be automatically created when the computer joins the domain, then the
recovery key will be backed up to AD DS, the TPM protector is created,
and the clear key is removed.
-
If you have performed a clean install of Windows 8.1,
device encryption is turned on by default. If you have upgraded a
previous Windows installation to Windows 8.1, you can turn device
encryption on by using PC info.
-
To open PC info, swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings.)
-
Tap or click PC & devices, and then tap or click PC info. The Device Encryption section appears at the bottom of the PC info page.
-
In the Device Encryption section, select Turn On.
-
Device encryption cannot be turned off on devices running Windows RT. For other devices, in the Device Encryption settings portion of PC info, you can select Turn Off if you want to stop using device encryption for any reason.
If you do not want the devices you are deploying to be
automatically protected with device encryption, you can configure the
unattend file to enforce the following registry setting:
-
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
-
Value: PreventDeviceEncryption equal to True (1)
-
Type: REG_DWORD
Device encryption is subject to BitLocker Group Policy
settings; however, its default configuration will conflict with some
Group Policy settings. The following list describes the policy settings
that should be set to either “not configured” or, if configured,
reviewed to ensure that they support device encryption.
-
Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption\Operating System
Drives\Require additional authentication at startup settings:
-
Any option that requires a startup authentication method other than the TPM.
Device encryption defaults only allow for the TPM key protector to be configured when the device is encrypted. On Windows x84 and x86 computers an additional protector can be added after the device is encrypted from the BitLocker Control Panel by using the Change how drive is unlocked at startup item.
-
Any option that requires a startup authentication method other than the TPM.
-
Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption\Operating System
Drives\Choose how BitLocker-protected operating system drives can be
recovered and Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption\Fixed Data
Drives\Choose how BitLocker-protected fixed data drives can be recovered settings:
-
Device encryption uses recovery passwords only. If you have configured this Group Policy setting with the option Do not allow 48-digit recovery password, device encryption will be prevented because its only recovery method is the recovery password.
- Device encryption requires that passwords be backed up to an online storage location. If you have configured this Group Policy setting with the option Save BitLocker recovery information to Active Directory Domain Services unchecked, device encryption will be prevented because device encryption requires that the recovery password be backed up to AD DS if the device is domain-joined.
Source:
www.technet.micorsoft.com
Published By
S.G.Godwin Dinesh.MCA
Sr.System Administrator -
Device encryption uses recovery passwords only. If you have configured this Group Policy setting with the option Do not allow 48-digit recovery password, device encryption will be prevented because its only recovery method is the recovery password.
No comments:
Post a Comment