mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
Metadata/style update BitLocker 3
This commit is contained in:
Frank Rojas
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: BitLocker Countermeasures (Windows 10)
|
||||
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
|
||||
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
@ -16,22 +16,16 @@ ms.custom: bitlocker
|
||||
|
||||
# BitLocker Countermeasures
|
||||
|
||||
**Applies to**
|
||||
(*Applies to: Windows 10, Windows 11, Windows Server 2016 and above*)
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks.
|
||||
BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology.
|
||||
Data on a lost or stolen computer is vulnerable.
|
||||
For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
|
||||
Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
|
||||
|
||||
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
|
||||
|
||||
- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
|
||||
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
|
||||
|
||||
|
||||
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
|
||||
|
||||
The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
|
||||
|
||||
For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
|
||||
@ -42,24 +36,19 @@ Before Windows starts, you must rely on security features implemented as part of
|
||||
|
||||
### Trusted Platform Module
|
||||
|
||||
A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
|
||||
On some platforms, TPM can alternatively be implemented as a part of secure firmware.
|
||||
BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline.
|
||||
For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
|
||||
A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
|
||||
|
||||
### UEFI and secure boot
|
||||
|
||||
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
|
||||
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
|
||||
|
||||
The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md).
|
||||
Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
|
||||
The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
|
||||
|
||||
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement.
|
||||
An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
|
||||
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
|
||||
|
||||
### BitLocker and reset attacks
|
||||
|
||||
To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
|
||||
To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
|
||||
|
||||
>[!NOTE]
|
||||
>This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
|
||||
@ -70,89 +59,82 @@ The next sections cover pre-boot authentication and DMA policies that can provid
|
||||
|
||||
### Pre-boot authentication
|
||||
|
||||
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.
|
||||
The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
|
||||
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
|
||||
|
||||
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed.
|
||||
If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
|
||||
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
|
||||
|
||||
Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key.
|
||||
This helps mitigate DMA and memory remanence attacks.
|
||||
Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks.
|
||||
|
||||
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
|
||||
|
||||
- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
|
||||
|
||||
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
|
||||
|
||||
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
|
||||
|
||||
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
|
||||
|
||||
In the following group policy example, TPM + PIN is required to unlock an operating system drive:
|
||||
|
||||
|
||||
|
||||
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
|
||||
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
|
||||
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
|
||||
|
||||
On the other hand, Pre-boot authentication-prompts can be inconvenient to users.
|
||||
In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key.
|
||||
Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
|
||||
On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
|
||||
|
||||
To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md).
|
||||
Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention.
|
||||
It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
|
||||
To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md). Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
|
||||
|
||||
### Protecting Thunderbolt and other DMA ports
|
||||
|
||||
There are a few different options to protect DMA ports, such as Thunderbolt™3.
|
||||
Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default.
|
||||
This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS.
|
||||
There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS.
|
||||
|
||||
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
|
||||
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
|
||||
|
||||
|
||||
|
||||
If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports:
|
||||
If kernel DMA protection isn't* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
|
||||
|
||||
1. Require a password for BIOS changes
|
||||
|
||||
1. Require a password for BIOS changes
|
||||
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
|
||||
|
||||
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
|
||||
|
||||
- MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
|
||||
- MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
|
||||
|
||||
- Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
|
||||
|
||||
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the "Thunderbolt Mitigation" section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
|
||||
For SBP-2 and 1394 (a.k.a. Firewire), refer to the "SBP-2 Mitigation" section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
|
||||
|
||||
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
|
||||
|
||||
## Attack countermeasures
|
||||
|
||||
This section covers countermeasures for specific types of attacks.
|
||||
|
||||
### Bootkits and rootkits
|
||||
|
||||
A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys.
|
||||
The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
|
||||
A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
|
||||
|
||||
This is the default configuration.
|
||||
> [!NOTE]
|
||||
> BitLocker protects against this attack by default.
|
||||
|
||||
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise.
|
||||
Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks.
|
||||
Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
|
||||
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
|
||||
|
||||
### Brute force attacks against a PIN
|
||||
Require TPM + PIN for anti-hammering protection.
|
||||
|
||||
Require TPM + PIN for anti-hammering protection.
|
||||
|
||||
### DMA attacks
|
||||
|
||||
See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article.
|
||||
|
||||
### Paging file, crash dump, and Hyberfil.sys attacks
|
||||
These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives.
|
||||
It also blocks automatic or manual attempts to move the paging file.
|
||||
|
||||
These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
|
||||
|
||||
### Memory remanence
|
||||
|
||||
Enable secure boot and mandatorily prompt a password to change BIOS settings.
|
||||
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
|
||||
Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
|
||||
|
||||
## Attacker countermeasures
|
||||
|
||||
@ -160,12 +142,12 @@ The following sections cover mitigations for different types of attackers.
|
||||
|
||||
### Attacker without much skill or with limited physical access
|
||||
|
||||
Physical access may be limited by a form factor that doesn't expose buses and memory.
|
||||
For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
|
||||
Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
|
||||
|
||||
This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
|
||||
This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
|
||||
|
||||
Mitigation:
|
||||
|
||||
Mitigation:
|
||||
- Pre-boot authentication set to TPM only (the default)
|
||||
|
||||
### Attacker with skill and lengthy physical access
|
||||
@ -173,27 +155,32 @@ Mitigation:
|
||||
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
|
||||
|
||||
Mitigation:
|
||||
|
||||
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
|
||||
|
||||
-And-
|
||||
|
||||
- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy:
|
||||
- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy:
|
||||
|
||||
- Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu
|
||||
- Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in)
|
||||
- Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery)
|
||||
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu**
|
||||
|
||||
These settings are **Not configured** by default.
|
||||
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)**
|
||||
|
||||
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)**
|
||||
|
||||
> [!IMPORTANT]
|
||||
> These settings are **not configured** by default.
|
||||
|
||||
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is:
|
||||
|
||||
Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup
|
||||
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
|
||||
|
||||
This setting is **Not configured** by default.
|
||||
> [!IMPORTANT]
|
||||
> This setting is **not configured** by default.
|
||||
|
||||
For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
|
||||
|
||||
## See also
|
||||
## Related articles
|
||||
|
||||
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
|
||||
- [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md)
|
||||
|
||||
@ -19,8 +19,7 @@ metadata:
|
||||
ms.custom: bitlocker
|
||||
title: BitLocker frequently asked questions (FAQ)
|
||||
summary: |
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
(*Applies to: Windows 10, Windows 11*)
|
||||
|
||||
|
||||
sections:
|
||||
@ -38,20 +37,20 @@ sections:
|
||||
|
||||
- question: How long will initial encryption take when BitLocker is turned on?
|
||||
answer: |
|
||||
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
|
||||
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you're encrypting large drives, you may want to set encryption to occur during times when you won't be using the drive.
|
||||
|
||||
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
|
||||
|
||||
- question: What happens if the computer is turned off during encryption or decryption?
|
||||
answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
|
||||
answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
|
||||
|
||||
- question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
|
||||
answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
||||
answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
||||
|
||||
- question: How can I prevent users on a network from storing data on an unencrypted drive?
|
||||
answer: |
|
||||
You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
|
||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
|
||||
|
||||
- question: What is Used Disk Space Only encryption?
|
||||
answer: |
|
||||
@ -77,19 +76,19 @@ sections:
|
||||
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
|
||||
|
||||
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
|
||||
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
||||
The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
||||
|
||||
- question: What can prevent BitLocker from binding to PCR 7?
|
||||
answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
|
||||
answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
|
||||
|
||||
- question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
|
||||
answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
|
||||
|
||||
- question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
|
||||
answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
||||
answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you'll have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
||||
|
||||
- question: Why is "Turn BitLocker on" not available when I right-click a drive?
|
||||
answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
|
||||
- question: Why is **Turn BitLocker on** not available when I right-click a drive?
|
||||
answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
|
||||
|
||||
- question: What type of disk configurations are supported by BitLocker?
|
||||
answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
|
||||
|
||||
@ -14,11 +14,7 @@ ms.custom: bitlocker
|
||||
|
||||
# BitLocker deployment comparison
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
(*Applies to: Windows 10, Windows 11, Windows Server 2016 and above*)
|
||||
|
||||
This article depicts the BitLocker deployment comparison chart.
|
||||
|
||||
@ -26,37 +22,37 @@ This article depicts the BitLocker deployment comparison chart.
|
||||
|
||||
| Requirements |Microsoft Intune |Microsoft Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|
||||
|---------|---------|---------|---------|
|
||||
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
|
||||
|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|
||||
|Minimum Windows version |1909 | None | None |
|
||||
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
|
||||
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|
||||
|Cloud or on premises | Cloud | On premises | On premises |
|
||||
|*Minimum client operating system version* |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
|
||||
|*Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|
||||
|*Minimum Windows version* |1909 | None | None |
|
||||
|*Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
|
||||
|*Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|
||||
|*Cloud or on premises* | Cloud | On premises | On premises |
|
||||
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|
||||
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|
||||
|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|
||||
|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|
||||
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|
||||
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|
||||
|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
|
||||
|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
|
||||
|*Administrative plane* | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|
||||
|*Administrative portal installation required* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Compliance reporting capabilities* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Force encryption* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Encryption for storage cards (mobile)* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|
||||
|*Allow recovery password* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Manage startup authentication* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Select cipher strength and algorithms for fixed drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Select cipher strength and algorithms for removable drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Select cipher strength and algorithms for operating environment drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|
||||
|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|
||||
|*Customize preboot message and recovery link* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Allow/deny key file creation* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Deny Write permission to unprotected drives* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|
||||
|*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
|
||||
|*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Unlock a volume using certificate with custom object identifier* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Prevent memory overwrite on restart* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|*Manage auto-unlock functionality* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|
||||
|
||||
@ -16,18 +16,17 @@ ms.custom: bitlocker
|
||||
|
||||
# Overview of BitLocker Device Encryption in Windows
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and later
|
||||
(*Applies to: Windows 10, Windows 11, Windows Server 2016 and above*)
|
||||
|
||||
This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md).
|
||||
This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md).
|
||||
|
||||
When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
|
||||
|
||||
Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
|
||||
## Data Protection in Windows 11, Windows 10, and Windows 7
|
||||
|
||||
**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
|
||||
The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
|
||||
|
||||
- **Table 2**
|
||||
|
||||
| Windows 7 | Windows 11 and Windows 10 |
|
||||
|---|---|
|
||||
@ -37,7 +36,7 @@ Table 2 lists specific data-protection concerns and how they're addressed in Win
|
||||
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
|
||||
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
|
||||
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
|
||||
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
|
||||
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
|
||||
|
||||
## Prepare for drive and file encryption
|
||||
|
||||
@ -46,12 +45,12 @@ Whether you're planning to encrypt entire volumes, removable devices, or individ
|
||||
|
||||
### TPM pre-provisioning
|
||||
|
||||
In Windows 7, preparing the TPM for use offered a couple of challenges:
|
||||
In Windows 7, preparing the TPM offered a few challenges:
|
||||
|
||||
* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows.
|
||||
* When you enable the TPM, it may require one or more restarts.
|
||||
- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows.
|
||||
- When you enable the TPM, it may require one or more restarts.
|
||||
|
||||
Basically, it was a hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users' hands, those users would have struggled with the technical challenges and would either call IT for support or leave BitLocker disabled.
|
||||
This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled.
|
||||
|
||||
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
|
||||
|
||||
@ -61,65 +60,83 @@ BitLocker is capable of encrypting entire hard drives, including both system and
|
||||
|
||||
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
|
||||
|
||||
## BitLocker device encryption
|
||||
## BitLocker Device Encryption
|
||||
|
||||
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.
|
||||
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
|
||||
|
||||
Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption.
|
||||
Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
|
||||
|
||||
Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
|
||||
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
|
||||
|
||||
* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
|
||||
* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
|
||||
* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
|
||||
* Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
|
||||
- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
|
||||
|
||||
- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
|
||||
|
||||
- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the following Group Policy settings:
|
||||
|
||||
*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**
|
||||
|
||||
With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
|
||||
|
||||
- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
|
||||
|
||||
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
|
||||
- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker
|
||||
- **Value**: PreventDeviceEncryption equal to True (1)
|
||||
- **Type**: REG\_DWORD
|
||||
|
||||
Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
|
||||
- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
|
||||
- **Type**: `REG_DWORD`
|
||||
- **Value**: `PreventDeviceEncryption` equal to `1` (True)
|
||||
|
||||
Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
|
||||
|
||||
> [!NOTE]
|
||||
> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
|
||||
|
||||
## Used Disk Space Only encryption
|
||||
|
||||
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
|
||||
BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including parts that didn't have data. Encrypting every byte on the volume including parts that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused.
|
||||
|
||||
But why encrypt a new drive when you can encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
|
||||
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
|
||||
|
||||
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
|
||||
|
||||
## Encrypted hard drive support
|
||||
|
||||
SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
|
||||
Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use, whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
|
||||
For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).
|
||||
|
||||
Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
|
||||
|
||||
For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md).
|
||||
|
||||
## Preboot information protection
|
||||
|
||||
An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
|
||||
|
||||
It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
|
||||
|
||||
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
|
||||
|
||||
## Manage passwords and PINs
|
||||
|
||||
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files.
|
||||
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
|
||||
|
||||
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second "something you know"). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
|
||||
|
||||
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
|
||||
|
||||
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
|
||||
|
||||
## Configure Network Unlock
|
||||
|
||||
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
|
||||
Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
|
||||
|
||||
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
|
||||
Network Unlock requires the following infrastructure:
|
||||
|
||||
* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
|
||||
* A server running at least Windows Server 2012 with the Windows deployment services role
|
||||
* A server with the DHCP server role installed
|
||||
- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
|
||||
|
||||
- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role
|
||||
|
||||
- A server with the DHCP server role installed
|
||||
|
||||
For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
|
||||
|
||||
@ -127,21 +144,31 @@ For more information about how to configure Network unlock feature, see [BitLock
|
||||
|
||||
Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
|
||||
|
||||
* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
|
||||
* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
|
||||
* Provides centralized reporting and hardware management with Microsoft Configuration Manager.
|
||||
* Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
|
||||
* Enables end users to recover encrypted devices independently by using the Self-Service Portal.
|
||||
* Enables security officers to easily audit access to recovery key information.
|
||||
* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
|
||||
* Enforces the BitLocker encryption policy options that you set for your enterprise.
|
||||
* Integrates with existing management tools, such as Microsoft Configuration Manager.
|
||||
* Offers an IT-customizable recovery user experience.
|
||||
* Supports Windows 11 and Windows 10.
|
||||
- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
|
||||
|
||||
- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
|
||||
|
||||
- Provides centralized reporting and hardware management with Microsoft Configuration Manager.
|
||||
|
||||
- Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
|
||||
|
||||
- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
|
||||
|
||||
- Enables security officers to easily audit access to recovery key information.
|
||||
|
||||
- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
|
||||
|
||||
- Enforces the BitLocker encryption policy options that you set for your enterprise.
|
||||
|
||||
- Integrates with existing management tools, such as Microsoft Configuration Manager.
|
||||
|
||||
- Offers an IT-customizable recovery user experience.
|
||||
|
||||
- Supports Windows 11 and Windows 10.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
|
||||
|
||||
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
|
||||
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
|
||||
|
||||
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
|
||||
|
||||
@ -24,7 +24,7 @@ summary: |
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
|
||||
This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
|
||||
|
||||
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
|
||||
- [Upgrading](bitlocker-upgrading-faq.yml)
|
||||
|
||||
@ -170,7 +170,7 @@ To verify the BIOS mode, use the System Information application. To do this, fol
|
||||
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
|
||||
|
||||
> [!NOTE]
|
||||
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device.
|
||||
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
|
||||
|
||||
## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
|
||||
|
||||
|
||||
Reference in New Issue
Block a user