Followers

What's New in BitLocker in Windows and Windows Server

BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.
Device encryption helps protect data on your Windows PC. It helps block malicious users from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would. Device encryption protects the operating system drive and any fixed data drives on the system using AES 128-bit encryption. Device encryption can be used with either a Microsoft Account or a domain account. To support device encryption, the system must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems. The prerequisites are listed in the following sections:
  • System.Fundamentals.Security.DeviceEncryption - General device encryption requirements.
  • System.Fundamentals – Connected standby systems requirements.
  • System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby- Requirements for TPM 2.0 and Secure Boot for connect standby systems.
Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines the way this is accomplished:
  • When a clean install of Windows 8.1 is completed the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
  • If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.
  • If the user signs in using a domain account, the clear key is not removed until the user joins the device to a domain (on x86/x64 platforms) and the recovery key is successfully backed up to Active Directory Domain Services. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives should be selected. With this configuration the recovery password will be automatically created when the computer joins the domain, then the recovery key will be backed up to AD DS, the TPM protector is created, and the clear key is removed.
For more information about the recovery key and how to access it, see Recovery keys: Frequently asked questions.

  1. If you have performed a clean install of Windows 8.1, device encryption is turned on by default. If you have upgraded a previous Windows installation to Windows 8.1, you can turn device encryption on by using PC info.
  2. To open PC info, swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings.)
  3. Tap or click PC & devices, and then tap or click PC info. The Device Encryption section appears at the bottom of the PC info page.
  4. In the Device Encryption section, select Turn On.
  5. Device encryption cannot be turned off on devices running Windows RT. For other devices, in the Device Encryption settings portion of PC info, you can select Turn Off if you want to stop using device encryption for any reason.

If you do not want the devices you are deploying to be automatically protected with device encryption, you can configure the unattend file to enforce the following registry setting:
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Value: PreventDeviceEncryption equal to True (1)
  • Type: REG_DWORD

Device encryption is subject to BitLocker Group Policy settings; however, its default configuration will conflict with some Group Policy settings. The following list describes the policy settings that should be set to either “not configured” or, if configured, reviewed to ensure that they support device encryption.
  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup settings:

    • Any option that requires a startup authentication method other than the TPM.

      Device encryption defaults only allow for the TPM key protector to be configured when the device is encrypted. On Windows x84 and x86 computers an additional protector can be added after the device is encrypted from the BitLocker Control Panel by using the Change how drive is unlocked at startup item.
  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered and Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed data drives can be recovered settings:

    • Device encryption uses recovery passwords only. If you have configured this Group Policy setting with the option Do not allow 48-digit recovery password, device encryption will be prevented because its only recovery method is the recovery password.
    • Device encryption requires that passwords be backed up to an online storage location. If you have configured this Group Policy setting with the option Save BitLocker recovery information to Active Directory Domain Services unchecked, device encryption will be prevented because device encryption requires that the recovery password be backed up to AD DS if the device is domain-joined.

    Source:
    www.technet.micorsoft.com

    Published By
    S.G.Godwin Dinesh.MCA
    Sr.System Administrator

No comments:

Post a Comment