deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-smandalika-blnw-unlck-4318240

Browse Source
This commit is contained in:
Daniel Simpson
2022-06-10 13:27:14 -07:00
committed by GitHub
parent b1cb36bb60 c1b1a9fc9c
commit 2c123098d1
960 changed files with 14883 additions and 10296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -49,6 +49,7 @@ BitLocker encryption can be done using the following methods:
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
@ -69,8 +70,6 @@ Once a strong password has been created for the volume, a recovery key will be g
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
@ -81,7 +80,8 @@ It's recommended that drives with little to no data use the **used disk space on
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
@ -93,7 +93,7 @@ Unlike for operating system volumes, data volumes aren't required to pass any co
After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
@ -101,8 +101,7 @@ Encryption status displays in the notification area or within the BitLocker cont
There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
@ -110,7 +109,7 @@ Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by
## <a href="" id="bkmk-dep2"></a>Down-level compatibility
The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.
Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
@ -131,7 +130,7 @@ Command-line users need to determine the appropriate syntax for a given situatio
### Operating system volume
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
**Determining volume status**
@ -156,17 +155,17 @@ It's possible to encrypt the operating system volume without any defined protect
`manage-bde -on C:`
This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:
`manage-bde -protectors -get <volume>`
**Provisioning BitLocker with two protectors**
Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command:
Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
`manage-bde -protectors -add C: -pw -sid <user or group>`
This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
### Data volume
@ -212,9 +211,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
```powershell
Get-BitLockerVolume C: | fl
```
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
```powershell
$vol = Get-BitLockerVolume
@ -227,9 +225,8 @@ Using this information, we can then remove the key protector for a specific volu
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
> The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
### Operating system volume
@ -249,7 +246,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTes
### Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
```powershell
$pw = Read-Host -AsSecureString
@ -275,7 +273,6 @@ For users who wish to use the SID for the account or group, the first step is to
```powershell
Get-ADUser -filter {samaccountname -eq "administrator"}
```
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
@ -287,9 +284,8 @@ In the example below, the user wishes to add a domain SID-based protector to the
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
```
> [!NOTE]
> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
@ -297,7 +293,7 @@ To check the BitLocker status of a particular volume, administrators can look at
### Checking BitLocker status with the control panel
Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include:
Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include:
| Status | Description |
| - | - |
@ -307,6 +303,7 @@ Checking BitLocker status with the control panel is the most common method used
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
@ -329,17 +326,16 @@ manage-bde -status <volume>
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
```powershell
Get-BitLockerVolume <volume> -Verbose | fl
```
This command will display information about the encryption method, volume type, key protectors, etc.
This command displays information about the encryption method, volume type, key protectors, etc.
### Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
@ -347,12 +343,12 @@ Decrypting volumes removes BitLocker and any associated protectors from the volu
### Decrypting volumes using the BitLocker control panel applet
BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process.
After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel.
The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
### Decrypting volumes using the manage-bde command-line interface
@ -361,8 +357,7 @@ Decrypting volumes using manage-bde is straightforward. Decryption with manage-b
```powershell
manage-bde -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
```powershell
manage-bde -status C:

21
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -28,12 +28,12 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks.
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks.
BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology.
Data on a lost or stolen computer is vulnerable.
For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computers hard disk to a different computer.
For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computers hard disk to a different computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computers BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
@ -44,7 +44,7 @@ For more information about how to enable the best overall security configuration
## Protection before startup
Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot.
Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
### Trusted Platform Module
@ -53,7 +53,7 @@ On some platforms, TPM can alternatively be implemented as a part of secure firm
BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline.
For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
### UEFI and Secure Boot
### UEFI and secure boot
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating systems bootloader.
@ -92,14 +92,14 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
In the following group policy example, TPM + PIN is required to unlock an operating system drive:
![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
On the other hand, Pre-boot authentication prompts can be inconvenient to users.
On the other hand, Pre-boot authentication-prompts can be inconvenient to users.
In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organizations support team to obtain a recovery key.
Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
@ -117,7 +117,7 @@ You can use the System Information desktop app (MSINFO32) to check if a device h
![Kernel DMA protection.](images/kernel-dma-protection.png)
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports:
1. Require a password for BIOS changes
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
@ -137,6 +137,7 @@ This section covers countermeasures for specific types of attacks.
A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys.
The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
This is the default configuration.
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise.
@ -156,7 +157,7 @@ It also blocks automatic or manual attempts to move the paging file.
### Memory remanence
Enable Secure Boot and require a password to change BIOS settings.
Enable secure boot and mandatorily prompt a password to change BIOS settings.
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
## Attacker countermeasures
@ -195,7 +196,7 @@ Computer Configuration|Administrative Templates|Windows Components|BitLocker Dri
This setting is **Not configured** by default.
For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device.
For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
## See also

44
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -1,6 +1,6 @@
---
title: BitLocker How to deploy on Windows Server 2012 and later
description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
ms.reviewer:
ms.prod: m365-security
@ -22,28 +22,30 @@ ms.custom: bitlocker
> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install.
This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using server manager
1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
1. Open server manager by selecting the server manager icon or running servermanager.exe.
2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown).
4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features Wizard** pane and select **Next** to continue.
5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install.
6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
**Note**: Server roles and features are installed by using the same wizard in Server Manager.
7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools
** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
> **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.
> **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
 
8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete.
9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
9. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation.
Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation.
>**Note:**  You must restart the server to complete the installation of BitLocker.
 
@ -51,20 +53,20 @@ Windows PowerShell offers administrators another option for BitLocker feature in
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell.
```powershell
Install-WindowsFeature BitLocker -WhatIf
```
The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
```
The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
- BitLocker Drive Encryption
- BitLocker Drive Encryption Tools
@ -74,7 +76,7 @@ The result of this command displays the following list of all the administration
- AD DS Tools
- AD DS and AD LDS Tools
The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
@ -84,13 +86,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
 
### Using the dism module to install BitLocker
The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
```powershell
Get-WindowsOptionalFeature -Online | ft
```
From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
To install BitLocker using the `dism` module, use the following command:
@ -98,7 +100,7 @@ To install BitLocker using the `dism` module, use the following command:
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
```
This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All

212
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -20,7 +20,7 @@ ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker: How to enable Network Unlock
# BitLocker: How to enable network unlock
**Applies to**
@ -28,49 +28,48 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This article for IT professionals describes how BitLocker Network Unlock works and how to configure it.
This topic describes how BitLocker network unlock works and how to configure it.
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers.
Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session.
## <a href="" id="bkmk-nunlockcorereqs"></a>Network unlock core requirements
## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems:
- Windows 8 or Windows Server 2012 as the current operating system.
- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients.
- Network Unlock clients with a TPM chip and at least one TPM protector.
- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
- BitLocker Network Unlock optional feature installed on any supported server operating system.
- A DHCP server, separate from the WDS server.
- Properly configured public/private key pairing.
- Network Unlock group policy settings configured.
- You must be running at least Windows 8 or Windows Server 2012.
- Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client.
- Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector.
- You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system.
- The BitLocker Network Unlock optional feature can be installed on any supported server operating system.
- You must have a DHCP server, separate from the WDS server.
- You must have a properly configured public/private key pairing.
- Network Unlock Group Policy settings must be configured.
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer.
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
> [!NOTE]
> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock.
Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement.
The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server.
Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server.
The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key.
The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients.
The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
@ -81,8 +80,8 @@ The Network Unlock process follows these phases:
1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
3. The client computer broadcasts a vendor-specific DHCP request that contains:
- A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server.
- An AES-256 session key for the reply.
1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server.
2. An AES-256 session key for the reply.
4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
@ -90,13 +89,13 @@ The Network Unlock process follows these phases:
8. This combined key is used to create an AES-256 key that unlocks the volume.
9. Windows continues the boot sequence.
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure network unlock
The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012.
The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
### <a href="" id="bkmk-installwdsrole"></a>Install the WDS server role
The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role.
The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
To install the role by using Windows PowerShell, use the following command:
@ -104,51 +103,51 @@ To install the role by using Windows PowerShell, use the following command:
Install-WindowsFeature WDS-Deployment
```
Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard.
You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard.
### <a href="" id="bkmk-confirmwdsrunning"></a>Confirm the WDS service is running
To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service.
To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
To confirm the service is running by using Windows PowerShell, use the following command:
To confirm that the service is running using Windows PowerShell, use the following command:
```powershell
Get-Service WDSServer
```
### <a href="" id="bkmk-installnufeature"></a>Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**.
To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
To install the feature by using Windows PowerShell, use the following command:
```powershell
Install-WindowsFeature BitLocker-NetworkUnlock
```
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
### <a href="" id="bkmk-createcerttmpl"><a/>Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template:
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
1. Open the certificate template snap-in (`certtmpl.msc`).
2. Locate the user template. Right-click the template name, and then select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**.
5. Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
7. Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**.
9. Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**.
10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**.
11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**.
12. In the **Edit Application Policies Extension** dialog box, select **Add**.
13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template, right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
- **Name**: **BitLocker Network Unlock**
- **Object Identifier**: **1.3.6.1.4.1.311.67.1.1**
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**.
15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**.
14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
17. Click **OK** to complete configuration of the template.
To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@ -159,7 +158,6 @@ After you add the Network Unlock template to the certificate authority, you can
Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
To enroll a certificate from an existing certificate authority:
1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
2. Under **Certificates - Current User**, right-click **Personal**.
3. Select **All Tasks** > **Request New Certificate**.
@ -170,12 +168,14 @@ To enroll a certificate from an existing certificate authority:
7. Create the certificate. Ensure the certificate appears in the **Personal** folder.
8. Export the public key certificate for Network Unlock:
1. Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**.
1. Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
2. Select **No, do not export the private key**.
3. Select **DER encoded binary X.509**, and then finish exporting the certificate to a file.
4. Give the file a name, such as *BitLocker-NetworkUnlock.cer*.
9. Export the public key with a private key for Network Unlock:
1. Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**.
3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
4. Give the file a name such as BitLocker-NetworkUnlock.cer.
9. Export the public key with a private key for Network Unlock.
1. Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
2. Select **Yes, export the private key**.
3. Complete the steps to create the *.pfx* file.
@ -189,7 +189,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=
Here's a `certreq` example:
1. Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*.
1. Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf.
2. Add the following contents to the previously created file:
```ini
@ -216,60 +216,56 @@ Here's a `certreq` example:
```cmd
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
4. Verify the previous command properly created the certificate by confirming the *.cer* file exists.
5. Launch **Certificates - Local Machine** by running `certlm.msc`.
6. Create a *.pfx* file by opening the *Certificates Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file.
4. Verify that certificate was properly created by the previous command by confirming that the .cer file exists.
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-deploycert"></a>Deploy the private key and certificate to the WDS server
Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer.
2. Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**.
3. In the **File to Import** dialog box, choose the *.pfx* file that you created previously.
4. Enter the password that you used to create the *.pfx* file, and finish the steps.
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**.
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
### Configure Group Policy settings for Network Unlock
### Configure group policy settings for network unlock
You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC.
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
To enable the Group Policy setting that's required to configure Network Unlock:
The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock.
1. Open Group Policy Management Console (`gpmc.msc`).
2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
To deploy the required Group Policy setting:
The following steps describe how to deploy the required group policy setting:
> [!NOTE]
> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
1. Copy the *.cer* file that you created for Network Unlock to the domain controller.
2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
4. Deploy the public certificate to clients:
1. In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*.
2. Right-click the folder, and then choose **Add Network Unlock Certificate**.
3. Follow the steps and import the *.cer* file that you copied earlier.
1. Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
2. Right-click the folder and select **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
> [!NOTE]
> Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer.
5. Reboot the clients after you deploy the Group Policy.
> [!NOTE]
> The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store.
> The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
### Subnet policy configuration files on the WDS server (optional)
By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking.
By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock.
The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests.
The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections.
Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names.
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple namevalue pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
```ini
[SUBNETS]
@ -278,19 +274,13 @@ SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```
Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate.
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
> [!NOTE]
> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail.
> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate.
So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section.
Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies.
To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon.
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
```ini
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
@ -305,29 +295,30 @@ To disallow the use of a certificate altogether, add a `DISABLED` line to its su
## <a href="" id="bkmk-turnoffnetworkunlock"></a>Turn off Network Unlock
To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain.
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
> [!NOTE]
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server.
> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server.
## <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller.
To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller.
> [!NOTE]
> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items:
Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode.
- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
- All required roles and services are installed and started.
- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer.
- Group Policy for Network Unlock is enabled and linked to the appropriate domains.
- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility.
- The clients were rebooted after the policy was applied.
- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer.
- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
- Group policy for network unlock is enabled and linked to the appropriate domains.
- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
- Verify whether the clients were rebooted after applying the policy.
- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
```powershell
manage-bde -protectors -get C:
@ -350,7 +341,6 @@ Gather the following files to troubleshoot BitLocker Network Unlock.
1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
1. In the right pane, select **Enable Log**.
- The DHCP subnet configuration file (if one exists).
- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
@ -366,12 +356,12 @@ Your system must meet these requirements:
Follow these steps to configure Network Unlock on these older systems.
1. [Install the WDS server role.](#bkmk-installwdsrole)
2. [Confirm the WDS service is running.](#bkmk-confirmwdsrunning)
3. [Install the Network Unlock feature.](#bkmk-installnufeature)
4. [Create the Network Unlock certificate.](#bkmk-createcert)
5. [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert)
6. Configure registry settings for Network Unlock:
1. [Install the WDS Server role](#bkmk-installwdsrole)
2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning)
3. [Install the Network Unlock feature](#bkmk-installnufeature)
4. [Create the Network Unlock certificate](#bkmk-createcert)
5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert)
6. Configure registry settings for network unlock:
Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article.
@ -387,7 +377,7 @@ Follow these steps to configure Network Unlock on these older systems.
```
7. Set up a TPM protector on the clients.
8. Reboot the clients to add the **Network (Certificate Based)** protector.
8. Reboot the clients to add the Network (certificate based) protector.
## See also

1
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
View File

@ -23,6 +23,7 @@ title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to**
- Windows 10
- Windows 11
sections:

4
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker (Windows 10)
title: BitLocker
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
ms.author: dansimp
@ -102,4 +102,4 @@ When installing the BitLocker optional component on a server you will also need
| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 11, Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration. |
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows IoT Core |
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows IoT Core |

35
windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
View File

@ -1,16 +1,11 @@
---
title: Breaking out of a Bitlocker recovery loop
description: This topic for IT professionals describes how to break out of a Bitlocker recovery loop.
ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee
title: Breaking out of a BitLocker recovery loop
description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.author: v-maave
author: dansimp
author: aczechowski
ms.author: aaroncz
manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
@ -19,25 +14,21 @@ ms.date: 10/28/2019
ms.custom: bitlocker
---
# Breaking out of a Bitlocker recovery loop
# Breaking out of a BitLocker recovery loop
Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating.
Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating.
If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
> [!NOTE]
> Only try these steps after you have restarted your device at least once.
> Try these steps only after you have restarted your device at least once.
1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**.
1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**.
1. On the next screen, select **Troubleshoot**.
2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
1. On the Troubleshoot screen, select **Advanced options**.
3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
1. On the Advanced options screen, select **Command prompt**.
4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system
5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system.

4
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -28,7 +28,7 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
This topic describes how to use the BitLocker Recovery Password Viewer.
The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
@ -38,7 +38,7 @@ To complete the procedures in this scenario:
- You must have domain administrator credentials.
- Your test computers must be joined to the domain.
- On the test computers, BitLocker must have been turned on after joining the domain.
- On the domain-joined test computers, BitLocker must have been turned on.
The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.

31
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -18,14 +18,14 @@ ms.custom: bitlocker
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
@ -42,13 +42,12 @@ To resolve this issue, follow these steps:
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
1. Try again to start BitLocker Drive Encryption.
2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8
3. Retry starting BitLocker drive encryption.
## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
@ -59,11 +58,11 @@ The TPM is locked out.
To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
1. Restart the device, and change the BIOS configuration to disable the TPM.
1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
2. Restart the device again, and return to the TPM management console. Following message is displayed:
> Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
1. Restart the device, and change the BIOS configuration to enable the TPM.
1. Restart the device, and return to the TPM management console.
3. Restart the device, and change the BIOS configuration to enable the TPM.
4. Restart the device, and return to the TPM management console.
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
@ -72,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
### Cause
The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
@ -84,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that
To verify that you have correctly identified this issue, use one of the following methods:
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
@ -95,13 +94,13 @@ To verify that you have correctly identified this issue, use one of the followin
In this command, *ComputerName* is the name of the affected computer.
1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
@ -109,7 +108,7 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati
### Cause
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution

10
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -18,13 +18,13 @@ ms.custom: bitlocker
# BitLocker configuration: known issues
This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
@ -41,7 +41,7 @@ After Windows 7 was released, several other areas of BitLocker were improved:
- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
- BitLocker Wizard
@ -90,12 +90,12 @@ This issue occurs regardless of any of the following variations in the environme
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the domain controller Application log, the VSS event source records event ID 8229:
In the domain controller application log, the VSS event source records event ID 8229:
> ID: 8229
> Level: Warning
> Source: VSS
> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.
>

55
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -39,7 +39,7 @@ If you do not have a clear trail of events or error messages to follow, other ar
- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review your BitLocker policy configuration](#policy)
For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
@ -49,7 +49,7 @@ Event ID 853 can carry different error messages, depending on the context. In th
### Cause
The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
### Resolution
@ -70,9 +70,9 @@ In this case, you see event ID 853, and the error message in the event indicates
### Cause
During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects removable bootable media.
To avoid this situation, the provisioning process stops if it detects a removable bootable media.
### Resolution
@ -90,7 +90,7 @@ The event information resembles the following:
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE is not available on the device, provisioning stops.
@ -104,7 +104,7 @@ The procedures described in this section depend on the default disk partitions t
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
```console
diskpart
@ -113,7 +113,7 @@ list volume
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager):
![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
@ -124,7 +124,6 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win
```console
reagentc /info
```
The output of this command resembles the following.
![Output of the reagentc /info command.](./images/4509193-en-1.png)
@ -137,13 +136,13 @@ reagentc /enable
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```console
bcdedit /enum all
```
The output of this command resembles the following.
The output of this command resembles the following:
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
@ -159,11 +158,11 @@ The event information resembles the following:
### Cause
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS.
### Resolution
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
To verify the BIOS mode, use the System Information application. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -174,7 +173,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device.
## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
@ -184,11 +183,11 @@ You receive an error message that resembles the following:
### Cause
A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
### Resolution
You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps:
#### Step 1: Verify the PCR validation profile of the TPM
@ -198,17 +197,17 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t
Manage-bde -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on.
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2. Verify the Secure Boot state
#### 2. Verify the secure boot state
To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
To verify the secure boot state, use the System Information application. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -229,7 +228,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."
> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
@ -237,7 +236,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
> Event ID:846
>
@ -270,7 +269,7 @@ The issue affects Windows 11 and Windows 10 version 1809.
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## <a id="issue-5"></a>Error message: There are conflicting Group Policy settings for recovery options on operating system drives
## <a id="issue-5"></a>Error message: There are conflicting group policy settings for recovery options on operating system drives
You receive a message that resembles the following:
@ -278,13 +277,13 @@ You receive a message that resembles the following:
### Resolution
To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
## <a id="policy"></a>Review your BitLocker policy configuration
For information about how to use policy together with BitLocker and Intune, see the following resources:
For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
@ -302,7 +301,7 @@ Intune offers the following enforcement types for BitLocker:
If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following:
![Intune policy settings.](./images/4509186-en-1.png)
@ -320,7 +319,7 @@ The OMA-URI references for these settings are as follows:
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.
@ -339,11 +338,11 @@ The OMA-URI references for these settings are as follows:
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)

83
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -1,89 +1,90 @@
---
title: BitLocker Network Unlock known issues
description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
ms.reviewer: kaushika
title: BitLocker network unlock known issues
description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues.
ms.technology: windows-sec
ms.prod: m365-security
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tappelgate
manager: kaushika
audience: ITPro
ms.reviewer: kaushika
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/7/2019
ms.custom: bitlocker
---
# BitLocker Network Unlock: known issues
# BitLocker network unlock: known issues
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements:
- Each computer belongs to a domain
- Each computer has a wired connection to the corporate network
- The corporate network uses DHCP to manage IP addresses
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
- Each computer belongs to a domain.
- Each computer has a wired connection to the internal network.
- The internal network uses DHCP to manage IP addresses.
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues.
## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
## Tip: Detect whether BitLocker network unlock is enabled on a specific computer
You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands.
1. Open an elevated Command Prompt window and run the following command:
1. Open an elevated command prompt window and run the following command:
```cmd
manage-bde protectors get <Drive>
manage-bde -protectors -get <Drive>
```
```cmd
manage-bde -protectors -get C:
```
where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
Where `<Drive>` is the drive letter, followed by a colon (`:`), of the bootable drive.
If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock.
1. Start Registry Editor, and verify the following settings:
- Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
- Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1.
- Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`.
- Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1.
## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured
## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured
You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.
You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.
You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
### Cause
### Cause of issue 1
The UEFI network stack on the device was incorrectly configured.
The UEFI network stack on the device was incorrectly configured.
### Resolution
### Resolution for issue 1
To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
> [!NOTE]
> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option.
> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option.
## Unable to use BitLocker Network Unlock feature on a Windows client computer
## 2. Unable to use BitLocker network unlock feature on a Windows client computer
You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.
You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.
### Cause
### Cause of issue 2
A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request.
- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence)
For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
### Resolution
### Resolution for issue 2
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

28
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
@ -31,7 +31,7 @@ Windows prompts you for a BitLocker recovery password. However, you did not conf
### Resolution
The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
You have a tablet or slate device, and you try to test BitLocker recovery by running the following command:
```console
Manage-bde -forcerecovery
@ -73,7 +73,7 @@ However, after you enter the recovery password, the device cannot start.
> [!IMPORTANT]
> Tablet devices do not support the **manage-bde -forcerecovery** command.
This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
@ -103,7 +103,7 @@ To resolve the restart loop, follow these steps:
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
You experience one or more of the following symptoms on the Surface device:
@ -115,14 +115,14 @@ You experience one or more of the following symptoms on the Surface device:
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure Boot is turned off.
- PCR values have been explicitly defined, such as by Group Policy.
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
### Resolution
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
```console
manage-bde.exe -protectors -get <OSDriveLetter>:
@ -170,7 +170,7 @@ To do this, follow these steps:
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE]
> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
@ -193,9 +193,9 @@ To recover data from your Surface device if you cannot start Windows, follow ste
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
To enable secure boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
@ -212,6 +212,7 @@ To enable Secure Boot on a Surface device, follow these steps:
1. Open an elevated PowerShell window, and run the following cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
@ -252,7 +253,6 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates.
@ -263,7 +263,7 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
@ -341,5 +341,5 @@ For more information about this technology, see [Windows Defender System Guard:
To resolve this issue, do one of the following:
- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

4
windows/security/information-protection/index.md
View File

@ -2,13 +2,9 @@
title: Information protection (Windows 10)
description: Learn more about how to protect sensitive data across your organization.
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/10/2018

4
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -2,13 +2,9 @@
title: Kernel DMA Protection (Windows)
description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
- highpri

116
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -1,137 +1,131 @@
---
title: Secure the Windows boot process
description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications
keywords: trusted boot, windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
ms.prod: m365-security
ms.mktglfcycl: Explore
ms.pagetype: security
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
manager: dansimp
audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
ms.topic: conceptual
ms.date: 11/24/2021
ms.date: 05/12/2022
ms.author: dansimp
---
# Secure the Windows boot process
**Applies to:**
- Windows 11
- Windows 10
- Windows 8.1
*Applies to:*
- Windows 11
- Windows 10
- Windows 8.1
The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if its recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malwareand bootkits specificallyare capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden.
Those components are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting before Windows, completely bypassing OS security, and remaining hidden.
When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it cant remain hidden; Trusted Boot can prove the systems integrity to your infrastructure in a way that malware cant disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
First, lets examine what rootkits are and how they work. Then, well show you how Windows can protect you.
When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can't remain hidden; Trusted Boot can prove the system's integrity to your infrastructure in a way that malware can't disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
First, let's examine what rootkits are and how they work. Then, we'll show you how Windows can protect you.
## The threat: rootkits
*Rootkits* are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
*Rootkits* are a sophisticated and dangerous type of malware. They run in kernel mode, using the same privileges as the OS. Because rootkits have the same rights as the OS and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
Different types of rootkits load during different phases of the startup process:
- **Firmware rootkits.** These kits overwrite the firmware of the PCs basic input/output system or other hardware so the rootkit can start before Windows.
- **Bootkits.** These kits replace the operating systems bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system.
- **Kernel rootkits.** These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
- **Firmware rootkits.** These kits overwrite the firmware of the PC's basic input/output system or other hardware so the rootkit can start before Windows.
- **Bootkits.** These kits replace the OS's bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
- **Kernel rootkits.** These kits replace a portion of the OS kernel so the rootkit can start automatically when the OS loads.
- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
## The countermeasures
Windows supports four features to help prevent rootkits and bootkits from loading during the startup process:
- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders.
- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
- **Measured Boot.** The PCs firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PCs health.
Figure 1 shows the Windows startup process.
- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted OS bootloaders.
- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
- **Measured Boot.** The PC's firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC's health.
Figure 1 shows the Windows startup process.
![Windows startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
![Windows startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
## Secure Boot
When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PCs hard drive. Theres no way for the PC to tell whether its a trusted operating system or a rootkit.
When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloaders digital signature to verify that it hasnt been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
When a PC starts, it first finds the OS bootloader. PCs without Secure Boot run whatever bootloader is on the PC's hard drive. There's no way for the PC to tell whether it's a trusted OS or a rootkit.
- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows, the Microsoft® certificate is trusted.
- **The user has manually approved the bootloaders digital signature.** This allows the user to load non-Microsoft operating systems.
When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
- **The bootloader was signed using a trusted certificate.** For PCs certified for Windows, the Microsoft certificate is trusted.
- **The user has manually approved the bootloader's digital signature.** This action allows the user to load non-Microsoft operating systems.
All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:
- They must have Secure Boot enabled by default.
- They must trust Microsofts certificate (and thus any bootloader Microsoft has signed).
- They must allow the user to configure Secure Boot to trust other bootloaders.
- They must allow the user to completely disable Secure Boot.
- They must have Secure Boot enabled by default.
- They must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).
- They must allow the user to configure Secure Boot to trust other bootloaders.
- They must allow the user to completely disable Secure Boot.
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
These requirements help protect you from rootkits while allowing you to run any OS you want. You have three options for running non-Microsoft operating systems:
- **Use an operating system with a certified bootloader.** Because all Certified For Windows PCs must trust Microsofts certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <https://partner.microsoft.com/dashboard>.
- **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
- **Turn off Secure Boot.** All Certified For Windows PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
- **Use an OS with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft's certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <https://partner.microsoft.com/dashboard>.
- **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any OS, including homemade operating systems.
- **Turn off Secure Boot.** All *Certified For Windows* PCs allow you to turn off Secure Boot so that you can run any software. This action doesn't help protect you from bootkits, however.
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot
Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
## Early Launch Anti-Malware
Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps dont start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasnt started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If its not trusted, Windows wont load it.
Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
An ELAM driver isnt a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps.
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it.
An ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps.
## Measured Boot
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesnt work with rootkits that hide their presence. In other words, you cant trust the client to tell you whether its healthy.
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn't work with rootkits that hide their presence. In other words, you can't trust the client to tell you whether it's healthy.
As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network.
Working with the TPM and non-Microsoft software, Measured Boot in Windows allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
Measured Boot works with the TPM and non-Microsoft software in Windows. It allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
1. The PCs UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
4. The client sends the log to the server, possibly with other security information.
Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.
Figure 2 illustrates the Measured Boot and remote attestation process.
Depending on the implementation and configuration, the server can now determine whether the client is healthy. It can grant the client access to either a limited quarantine network or to the full network.
Figure 2 illustrates the Measured Boot and remote attestation process.
![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
*Figure 2. Measured Boot proves the PC's health to a remote server*
**Figure 2. Measured Boot proves the PCs health to a remote server**
Windows includes the application programming interfaces to support Measured Boot, but youll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the trustworthiness of a client PC across the network.
## Summary
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; its leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system.
## Additional resources
- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. With Windows, you can trust the integrity of your OS.

4
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -50,7 +50,7 @@ This table includes all available attributes/elements for the **Log** element. T
|Attribute/Element |Value type |Description |
|----------|-----------|------------|
|ProviderType |String |This is always **EDPAudit**. |
|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** WIP protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
|TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:<ul><li>**CopyPaste.** Work data was pasted into a personal location or app.</li><li>**ProtectionRemoved.** Work data was changed to be unprotected.</li><li>**DragDrop.** Work data was dropped into a personal location or app.</li><li>**Share.** Work data was shared with a personal location or app.</li><li>**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).</li></ul> |
|Justification |String |Not implemented. This will always be either blank or NULL.<br><br>**Note**<br>Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
@ -160,7 +160,7 @@ Here are a few examples of responses from the Reporting CSP.
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.
**To view the WIP events in the Event Viewer**

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -65,12 +65,12 @@ The **Configure Windows Information Protection settings** page appears, where yo
## Add app rules to your policy
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The file is imported and the apps are added to your **App Rules** list.
### Exempt apps from WIP restrictions
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**

8
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened:
- Windows **Save As** experiences only allow you to save your files as enterprise.
- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft To Do
> [!NOTE]
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
## List of WIP-work only apps from Microsoft
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
- Skype for Business
@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |

34
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -22,7 +22,7 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
This following list provides info about the most common problems you might encounter while running WIP in your organization.
This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- **How it appears**:
@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
- **Limitation**: Direct Access is incompatible with WIP.
- **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.
- **Limitation**: Direct Access is incompatible with Windows Information Protection.
- **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.
- **Workaround**: We recommend that you use VPN for client access to your intranet resources.
> [!NOTE]
> VPN is optional and isnt required by WIP.
> VPN is optional and isnt required by Windows Information Protection.
- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- **Workaround**: We dont recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
- **Limitation**: WIP is designed for use by a single user per device.
- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.
- **Workaround**: We recommend only having one user per managed device.
@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou
- **Limitation**: Changing your primary Corporate Identity isnt supported.
- **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
- **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
- **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
> [!NOTE]
> For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
> For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- **How it appears**:
@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou
- Local **Work** data copied to the WIP-managed device remains **Work** data.
- **Work** data that is copied between two apps in the same session remains ** data.
- **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
- **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
- **Limitation**: ActiveX controls should be used with caution.
- **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.
- **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using Windows Information Protection.
- **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
- **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
- **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- **Workaround**: Format drive for NTFS, or use a different drive.
- **Limitation**: WIP isnt turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- **Limitation**: Windows Information Protection isnt turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- AppDataRoaming
- Desktop
- StartMenu
@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou
<br/>
- **How it appears**: WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
- **How it appears**: Windows Information Protection isnt turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
- **Workaround**: Dont set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
- **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou
> [!NOTE]
>
> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
>
> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

6
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
ms.date: 05/25/2022
ms.reviewer:
---
@ -26,8 +26,8 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|

40
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, theres also an
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
>[!IMPORTANT]
>While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
## Video: Protect enterprise data from being accidentally copied to the wrong place
> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
Youll need this software to run WIP in your enterprise:
Youll need this software to run Windows Information Protection in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t
Finally, theres the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
## Benefits of WIP
WIP provides:
Windows Information Protection provides:
- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
- Additional data protection for existing line-of-business apps without a need to update the apps.
@ -79,12 +79,12 @@ WIP provides:
- Use of audit reports for tracking issues and remedial actions.
- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
## Why use WIP?
WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isnt using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isnt using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
- **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
- **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your protected apps list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your protected apps list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
Windows Information Protection helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including:
- Helping control the network and data access and data sharing for apps that arent enterprise aware
### Enterprise scenarios
WIP currently addresses these enterprise scenarios:
Windows Information Protection currently addresses these enterprise scenarios:
- You can encrypt enterprise data on employee-owned and corporate-owned devices.
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
### <a href="" id="bkmk-modes"></a>WIP-protection modes
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Enterprise data is automatically encrypted after its loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.
Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
You can set your WIP policy to use 1 of 4 protection and management modes:
You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on. |
|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn Windows Information Protection back on. |
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isnt recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info wont be automatically reapplied.

2
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -25,7 +25,7 @@ ms.reviewer:
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources

4
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info
## Viewing the Enterprise Context column in Task Manager
You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
1. Make sure that you have an active WIP policy deployed and turned on in your organization.
1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization.
2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components).
> [!Important]
> Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.

6
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -1,18 +1,12 @@
---
title: Fine-tune Windows Information Policy (WIP) with WIP Learning
description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
ms.prod: m365-security
ms.mktglfcycl:
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
manager: dougeby
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019