mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
updates
This commit is contained in:
Paolo Matarazzo
parent
f2b92ec332
commit
2add9c4494
@ -4,7 +4,7 @@ description: Learn about passkeys and how to use them on Windows devices.
|
||||
ms.collection:
|
||||
- highpri
|
||||
- tier1
|
||||
ms.topic: article
|
||||
ms.topic: overview
|
||||
ms.date: 09/27/2023
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: BitLocker countermeasures
|
||||
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
|
||||
ms.topic: conceptual
|
||||
ms.topic: concept-article
|
||||
ms.date: 10/05/2023
|
||||
---
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Device Encryption
|
||||
description: Learn how Device Encryption works for devices that support it.
|
||||
ms.topic: conceptual
|
||||
ms.topic: overview
|
||||
ms.date: 10/06/2023
|
||||
---
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ BitLocker has the following requirements:
|
||||
|
||||
*Device Encryption* is a security feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device Encryption requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access.
|
||||
|
||||
To learn more about Device Encryption, see the [BitLocker Planning Guide](device-encryption.md).
|
||||
To learn more about Device Encryption, see the [Device Encryption](device-encryption.md).
|
||||
|
||||
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: BitLocker - How to enable Network Unlock
|
||||
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
||||
ms.topic: conceptual
|
||||
ms.topic: how-to
|
||||
ms.date: 11/08/2022
|
||||
---
|
||||
|
||||
|
||||
@ -1,21 +1,21 @@
|
||||
---
|
||||
title: BitLocker planning guide
|
||||
description: Learn how to plan for a BitLocker deployment in your organization.
|
||||
ms.topic: conceptual
|
||||
ms.topic: concept-article
|
||||
ms.date: 10/06/2023
|
||||
---
|
||||
|
||||
# BitLocker planning guide
|
||||
|
||||
A BitLocker deployment strategy inculudes definining the appropriate policies and configuration requirements based on your organization's security requirements. This article helps collecting the information to assist with a BitLocker deployment.
|
||||
A BitLocker deployment strategy includes definining the appropriate policies and configuration requirements based on your organization's security requirements. This article helps collecting the information to assist with a BitLocker deployment.
|
||||
|
||||
## Audit the environment
|
||||
|
||||
To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then these policies may not exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features.
|
||||
To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software and the organization's security policies. If the organization isn't using disk encryption software, then these policies may not exist. If disk encryption software is in use, then the policies may need to change to use certain BitLocker features.
|
||||
|
||||
To help document the organization's current disk encryption security policies, answer the following questions:
|
||||
|
||||
- Are there policies to determine which devices will use BitLocker and which computers won't?
|
||||
- Are there policies to determine which devices must use BitLocker and which computers don't?
|
||||
- What policies exist to control recovery password and recovery key storage?
|
||||
- What are the policies for validating the identity of users who need to perform BitLocker recovery?
|
||||
- What policies exist to control who in the organization has access to recovery data?
|
||||
@ -29,30 +29,36 @@ BitLocker can lock the normal startup process until the user supplies a personal
|
||||
|
||||
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
|
||||
|
||||
An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
|
||||
|
||||
It's crucial that organizations protect information on their devices regardless of the state of the device or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
|
||||
|
||||
The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
|
||||
|
||||
### BitLocker key protectors
|
||||
|
||||
| Key protector | Description |
|
||||
| - | - |
|
||||
| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
|
||||
| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.|
|
||||
| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
|
||||
| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
|
||||
| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
|
||||
| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
|
||||
| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
|
||||
| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
|
||||
| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
|
||||
| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
|
||||
| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
|
||||
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
|
||||
|
||||
### BitLocker authentication methods
|
||||
|
||||
| Authentication method | Requires user interaction | Description |
|
||||
| - | - | - |
|
||||
| *TPM only*| No| TPM validates early boot components.|
|
||||
| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
|
||||
| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
|
||||
| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
|
||||
| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device.|
|
||||
| TPM only| No| TPM validates early boot components.|
|
||||
| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
|
||||
| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
|
||||
| TPM + startup key | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
|
||||
| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device.|
|
||||
|
||||
#### Support for devices without TPM
|
||||
|
||||
Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support devices with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
|
||||
Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support devices without TPM, a user must use a USB startup key to boot the system. The startup key requires extra support processes similar to multifactor authentication.
|
||||
|
||||
#### What areas of the organization need a baseline level of data protection?
|
||||
|
||||
@ -71,14 +77,6 @@ If there are devices with highly sensitive data, then deploy BitLocker with mult
|
||||
|
||||
The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes.
|
||||
|
||||
## Preboot information protection
|
||||
|
||||
An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
|
||||
|
||||
It's crucial that organizations protect information on their devices regardless of the state of the device or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
|
||||
|
||||
Windows can enable a signle sign-on (SSO) experience from the preboot environment when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
|
||||
|
||||
## Manage passwords and PINs
|
||||
|
||||
When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
|
||||
|
||||
@ -106,7 +106,7 @@ If software maintenance requires the computer to be restarted and two-factor aut
|
||||
|
||||
Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
|
||||
|
||||
## Testing recovery
|
||||
## Test the recovery process
|
||||
|
||||
Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
|
||||
|
||||
@ -137,7 +137,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes
|
||||
> [!NOTE]
|
||||
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
|
||||
|
||||
## Planning the recovery process
|
||||
## Plan the recovery process
|
||||
|
||||
When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Windows operating system security
|
||||
description: Securing the operating system includes system security, encryption, network security, and threat protection.
|
||||
ms.date: 08/02/2023
|
||||
ms.topic: article
|
||||
ms.topic: overview
|
||||
---
|
||||
|
||||
# Windows operating system security
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user