From 340f0fbd35d121f9e92f0a9b34c8b388c3746d1f Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 16 Nov 2022 23:45:59 -0500 Subject: [PATCH] Metadata/style update BitLocker 18 --- .../bitlocker/bcd-settings-and-bitlocker.md | 2 +- .../bitlocker/bitlocker-and-adds-faq.yml | 2 +- .../bitlocker/bitlocker-basic-deployment.md | 42 +++++++++---------- .../bitlocker/bitlocker-countermeasures.md | 6 +-- .../bitlocker-deployment-comparison.md | 2 +- .../bitlocker-group-policy-settings.md | 42 +++++++++---------- ...tlocker-how-to-deploy-on-windows-server.md | 12 +++--- .../bitlocker-how-to-enable-network-unlock.md | 27 ++++++------ .../bitlocker-key-management-faq.yml | 4 +- .../bitlocker-management-for-enterprises.md | 10 ++--- .../bitlocker/bitlocker-overview.md | 2 +- .../bitlocker-recovery-guide-plan.md | 30 ++++++------- .../bitlocker-recovery-loop-break.md | 4 +- ...ve-encryption-tools-to-manage-bitlocker.md | 28 ++++++------- ...itlocker-using-with-other-programs-faq.yml | 2 +- ...nd-storage-area-networks-with-bitlocker.md | 18 ++++---- .../bitlocker/troubleshoot-bitlocker.md | 16 +++---- .../ts-bitlocker-cannot-encrypt-issues.md | 6 +-- .../ts-bitlocker-cannot-encrypt-tpm-issues.md | 10 ++--- .../bitlocker/ts-bitlocker-config-issues.md | 4 +- .../ts-bitlocker-decode-measured-boot-logs.md | 8 ++-- .../bitlocker/ts-bitlocker-intune-issues.md | 14 +++---- .../ts-bitlocker-network-unlock-issues.md | 4 +- .../bitlocker/ts-bitlocker-tpm-issues.md | 4 +- 24 files changed, 151 insertions(+), 148 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 38ebaa51c4..aaee4befef 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -60,7 +60,7 @@ When specifying BCD values in the **Use enhanced Boot Configuration Data validat For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value. -A setting that applies to all boot applications may be applied only to an individual application; however, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields. > [!NOTE] > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index 7f6ba12c95..715efe3b61 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -49,7 +49,7 @@ sections: The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt: - ``` powershell + ```powershell $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' } diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 06fc8d4e25..5b78af4a41 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -210,7 +210,7 @@ This command returns the volumes on the target, current encryption status, and v Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption: -``` powershell +```powershell manage-bde.exe -protectors -add C: -startupkey E: manage-bde.exe -on C: ``` @@ -221,13 +221,13 @@ If prompted, reboot the computer to complete the encryption process. It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command: -``` syntax +```cmd manage-bde.exe -on C: ``` This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command: -``` syntax +```cmd manage-bde.exe -protectors -get ``` @@ -235,7 +235,7 @@ manage-bde.exe -protectors -get Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command: -``` syntax +```cmd manage-bde.exe -protectors -add C: -pw -sid ``` @@ -245,7 +245,7 @@ This command requires the user to enter and then confirm the password protectors Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: -``` syntax +```cmd manage-bde.exe -on ``` @@ -255,7 +255,7 @@ or users can choose to add protectors to the volume. It is recommended to add at A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker. -``` powershell +```powershell manage-bde.exe -protectors -add -pw C: manage-bde.exe -on C: ``` @@ -288,21 +288,21 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** > [!NOTE] > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. -``` powershell +```powershell Get-BitLockerVolume C: | fl ``` If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed. A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below: -``` powershell +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command: -``` powershell +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` @@ -315,13 +315,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the `m To enable BitLocker with just the TPM protector, use this command: -``` powershell +```powershell Enable-BitLocker C: ``` The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` powershell +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` @@ -329,7 +329,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. -``` powershell +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -344,13 +344,13 @@ The **ADAccountOrGroup** protector is an Active Directory SID-based protector. T To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. -``` powershell +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -``` powershell +```powershell Get-ADUser -filter {samaccountname -eq "administrator"} ``` @@ -362,7 +362,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"} In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: -``` powershell +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` @@ -397,7 +397,7 @@ Administrators who prefer a command-line interface can utilize `manage-bde.exe` To check the status of a volume using `manage-bde.exe`, use the following command: -``` powershell +```powershell manage-bde.exe -status ``` @@ -410,7 +410,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: -``` powershell +```powershell Get-BitLockerVolume -Verbose | fl ``` @@ -437,13 +437,13 @@ Once decryption is complete, the drive updates its status in the control panel a Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: -``` powershell +```powershell manage-bde.exe -off C: ``` This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: -``` powershell +```powershell manage-bde.exe -status C: ``` @@ -453,13 +453,13 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to `manag Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: -``` powershell +```powershell Disable-BitLocker ``` If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: -``` powershell +```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 33349719c3..cde4db1b1b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -33,7 +33,7 @@ BitLocker helps mitigate unauthorized data access on lost or stolen computers be The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8. -For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). +For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure). ## Protection before startup @@ -92,13 +92,13 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne ### Protecting Thunderbolt and other DMA ports -There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS. +There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled: ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection isn't* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: 1. Require a password for BIOS changes diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index b2ab76413a..9e7aba3ca0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -53,7 +53,7 @@ This article depicts the BitLocker deployment comparison chart. |*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | -|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | +|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | | |*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index f31f5430d7..227070fc2c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -106,7 +106,7 @@ The following policies are used to support customized deployment scenarios in yo | |   | |:---|:---| |**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| |**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*| |**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.| @@ -147,7 +147,7 @@ For more information about Network Unlock feature, see [BitLocker: How to enable This policy setting is used to control which unlock options are available for operating system drives. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| @@ -173,28 +173,28 @@ There are four options for TPM-enabled computers or devices: - Configure TPM startup - Allow TPM - Require TPM - - Don't allow TPM + - Don not allow TPM - Configure TPM startup PIN - Allow startup PIN with TPM - Require startup PIN with TPM - - Don't allow startup PIN with TPM + - Don not allow startup PIN with TPM - Configure TPM startup key - Allow startup key with TPM - Require startup key with TPM - - Don't allow startup key with TPM + - Don not allow startup key with TPM - Configure TPM startup key and PIN - Allow TPM startup key with PIN - Require startup key and PIN with TPM - - Don't allow TPM startup key with PIN + - Don not allow TPM startup key with PIN ### Allow enhanced PINs for startup This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.| |**Introduced**|Windows Server 2008 R2 and Windows 7| @@ -237,7 +237,7 @@ The Dictionary Attack Prevention Parameters provide a way to balance security ne Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. -Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### Disable new DMA devices when this computer is locked @@ -246,7 +246,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p | |   | |:---|:---| |**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.| -|**Introduced**|Windows 10, version 1703, or Windows 11| +|**Introduced**|Windows 10, version 1703| |**Drive type**|Operating system drives| |**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| @@ -331,12 +331,12 @@ There are two options for TPM-enabled computers or devices: - Configure TPM startup PIN - Allow startup PIN with TPM - Require startup PIN with TPM - - Don't allow startup PIN with TPM + - Do not allow startup PIN with TPM - Configure TPM startup key - Allow startup key with TPM - Require startup key with TPM - - Don't allow startup key with TPM + - Do not allow startup key with TPM These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur. @@ -495,7 +495,7 @@ The Windows touch keyboard (such as used by tablets) isn't available in the preb It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. -When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. +When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: @@ -554,7 +554,7 @@ This policy setting is used to require that removable drives are encrypted prior If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. > [!NOTE] -> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. +> You can override this policy setting with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. Conflict considerations include: @@ -603,7 +603,7 @@ This policy setting is used to control the encryption method and cipher strength |**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*| |**Conflicts**|None| |**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.| -|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. +|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. #### Reference: Choose drive encryption method and cipher strength @@ -626,7 +626,7 @@ When this policy setting is disabled or not configured, BitLocker will use the d This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| @@ -651,7 +651,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| @@ -678,7 +678,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.| |**Introduced**|Windows Server 2012 and Windows 8| @@ -840,7 +840,7 @@ For example, not allowing the 48-digit recovery password prevents users from pri This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.| |**Introduced**|Windows Server 2008 and Windows Vista| @@ -1040,7 +1040,7 @@ Multiple values separated by commas can be entered in the identification and all This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. -| |   | +| | | |:---|:---| |**Policy description**|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.| |**Introduced**|Windows Vista| @@ -1287,7 +1287,7 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. -| |   | +| | | |:---|:---| |**Policy description**|Notes| |**Introduced**|Windows Server 2003 with SP1| @@ -1313,7 +1313,7 @@ PCs default power settings for a computer will cause the computer to enter Sleep However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. -You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: +You can disable the following Group Policy settings, which are located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** to disable all available sleep states: - Allow Standby States (S1-S3) When Sleeping (Plugged In) - Allow Standby States (S1-S3) When Sleeping (Battery) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index c81d7ac7b4..6e918604ba 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -67,7 +67,7 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell. -``` powershell +```powershell Install-WindowsFeature BitLocker -WhatIf ``` @@ -75,7 +75,7 @@ The results of this command show that only the BitLocker Drive Encryption featur To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command: -``` powershell +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` @@ -91,7 +91,7 @@ The result of this command displays the following list of all the administration The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is: -``` powershell +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` @@ -102,7 +102,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. -``` powershell +```powershell Get-WindowsOptionalFeature -Online | ft ``` @@ -110,13 +110,13 @@ From this output, it can be seen that there are three BitLocker-related optional To install BitLocker using the `dism.exe` module, use the following command: -``` powershell +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: -``` powershell +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index c2a6a79c56..cf2d6e9b33 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -50,7 +50,7 @@ For Network Unlock to work reliably on computers, the first network adapter on t The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. -Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required; however, the WDS service must be running on the server. +Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server. The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. @@ -100,7 +100,7 @@ The BitLocker Network Unlock feature installs the WDS role if it isn't already i To install the role by using Windows PowerShell, use the following command: -``` powershell +```powershell Install-WindowsFeature WDS-Deployment ``` @@ -112,7 +112,7 @@ To confirm that the WDS service is running, use the Services Management Console To confirm that the service is running using Windows PowerShell, use the following command: -``` powershell +```powershell Get-Service WDSServer ``` @@ -122,7 +122,7 @@ To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature by using Windows PowerShell, use the following command: -``` powershell +```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` @@ -217,7 +217,7 @@ To create a self-signed certificate, either use the `New-SelfSignedCertificate` **Windows PowerShell:** -``` powershell +```powershell New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") ``` @@ -225,13 +225,13 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN= 1. Create a text file with an `.inf` extension, for example: - ``` syntax + ```cmd notepad.exe BitLocker-NetworkUnlock.inf ``` 2. Add the following contents to the previously created file: - ``` ini + ```ini [NewRequest] Subject="CN=BitLocker Network Unlock certificate" ProviderType=0 @@ -252,7 +252,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN= 3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name: - ``` syntax + ```cmd certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` @@ -327,7 +327,7 @@ The configuration file, called bde-network-unlock.ini, must be located in the sa The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names. -``` ini +```ini [SUBNETS] SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon SUBNET2=10.185.252.200/28 @@ -344,7 +344,7 @@ Subnet restrictions are defined within each certificate section by denoting the Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon. -``` ini +```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. ;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. @@ -387,7 +387,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: - ``` powershell + ```powershell manage-bde.exe -protectors -get C: ``` @@ -418,6 +418,9 @@ Gather the following files to troubleshoot BitLocker Network Unlock. - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.