diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index bb4fc5e7f4..6e304d3de1 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7416,12 +7416,12 @@ "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md", - "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption", + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/policy-settings", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md", + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/policy-settings", "redirect_document_id": false }, @@ -7435,6 +7435,11 @@ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery", "redirect_document_id": false }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer", + "redirect_document_id": false + }, { "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/network-unlock", @@ -7445,6 +7450,11 @@ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure", "redirect_document_id": false }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure", + "redirect_document_id": false + }, { "source_path": "windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/plan", @@ -7460,24 +7470,14 @@ "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/csv-san", "redirect_document_id": false }, - { - "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md", - "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/policy-settings", - "redirect_document_id": false - }, { "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/enable-server", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md", - "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure", - "redirect_document_id": false - }, - { - "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md", - "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md", + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption", "redirect_document_id": false } ] diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md index c263c846b7..cf84c40e8a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md @@ -44,8 +44,7 @@ To configure BitLocker, you can use: ## BitLocker management - -The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. This article links to relevant documentation, products, and services to help answer frequently asked questions, and also provides BitLocker recommendations for different types of computers. @@ -57,11 +56,11 @@ Companies that image their own computers using Configuration Manager can use an ## Manage Microsoft Entra joined devices -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption.md) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Intune can enable BitLocker for standard users. [Device Encryption](index.md#device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. The enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred. -For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption.md) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [Device Encryption](index.md#device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. ## Manage Microsoft Entra registered devices @@ -69,7 +68,7 @@ For Windows devices that are enrolled using **Connect to work or school account* ## Manage servers -Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](operations-guide.md), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](operations-guide.md), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md index 114384f149..8b10a6d887 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md @@ -124,8 +124,8 @@ Mitigation: - **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Show hibernate in the power options menu** - **Computer Configuration** > **Policies** > **Administrative Templates** > **Power Management** > **Sleep Settings** > - - **Allow standby states (S1-S3) when sleeping (plugged in)** - - **Allow standby states (S1-S3) when sleeping (on battery)** + - **Allow standby states (S1-S3) when sleeping (plugged in)** + - **Allow standby states (S1-S3) when sleeping (on battery)** > [!IMPORTANT] > These settings are **not configured** by default. @@ -136,4 +136,10 @@ For secure administrative workstations, it's recommended to: - use a TPM with PIN protector - disable standby power management -- shut down or hibernate the device before it leaves the control of an authorized user \ No newline at end of file +- shut down or hibernate the device before it leaves the control of an authorized user + +## Next steps + +> [!div class="nextstepaction"] +> Learn how to plan for a BitLocker deployment in your organization: +> [Plan for a BitLocker deployment >](plan.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/de.md b/windows/security/operating-system-security/data-protection/bitlocker/de.md deleted file mode 100644 index fb5e373d8a..0000000000 --- a/windows/security/operating-system-security/data-protection/bitlocker/de.md +++ /dev/null @@ -1,27 +0,0 @@ -## BitLocker Device Encryption - -Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. - -Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically: - -- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. - -- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials. - -- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS: - - *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** - - With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. - -- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. - -Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: - -- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` -- **Type**: `REG_DWORD` -- **Value**: `PreventDeviceEncryption` equal to `1` (True) - -> [!NOTE] -> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml index 65d30718ad..6590f2c779 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml @@ -118,7 +118,7 @@ sections: - question: What is *Used Disk Space Only* encryption? answer: | - BitLocker lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption.md#used-disk-space-only-encryption). + BitLocker lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](plan.md#used-disk-space-only-encryption). - question: What system changes would cause the integrity check on the OS drive to fail? answer: | diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 3643d58c5a..03e0838920 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -46,7 +46,6 @@ BitLocker has the following requirements: - must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware - it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space - > [!IMPORTANT] > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker. > @@ -55,6 +54,10 @@ BitLocker has the following requirements: > [!NOTE] > When installing the BitLocker optional component on a server, the *Enhanced Storage* feature must be installed. The feature is used to support hardware encrypted drives. +## Device Encryption + +*Device Encryption* is a security feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device Encryption requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access. + [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] > [!NOTE] @@ -64,4 +67,4 @@ BitLocker has the following requirements: > [!div class="nextstepaction"] > Learn about technologies and features to protect against attacks on the BitLocker encryption key: -> [BitLocker countermeasures >](countermeasures.md) \ No newline at end of file +> [BitLocker countermeasures >](countermeasures.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/management-tools.md b/windows/security/operating-system-security/data-protection/bitlocker/management-tools.md new file mode 100644 index 0000000000..7890113b2b --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/management-tools.md @@ -0,0 +1,550 @@ +--- +title: BitLocker management tools +description: Learn how to use different tools to operate BitLocker. +ms.collection: + - tier1 +ms.topic: how-to +ms.date: 07/25/2023 +--- + +# BitLocker management tools + +There are differnt tools and options to manage and operate BitLocker: + +- the BitLocker PowerShell module +- the BitLocker drive encryption tools +- Control Panel + +The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker control panel. They are appropriate to use for automated deployments and other scripting scenarios.\ +The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks. + +This article describes the BitLocker management tools and how to use them, providing practical examples. + +## BitLocker PowerShell module + +The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, che the [BitLocker PowerShell reference article](/powershell/module/bitlocker). + +## BitLocker drive encryption tools + +The BitLocker drive encryption tools include the two command-line tools: + +- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference +- *Repair Tool* (`repair-bde.exe`) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console + +### Repair tool + +The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier + +> [!TIP] +> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume: +> +> `manage-bde.exe -KeyPackage` + +The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions: + +- The drive is encrypted using BitLocker Drive Encryption +- Windows doesn't start, or the BitLocker recovery console can't start +- There isn't a backup copy of the data that is contained on the encrypted drive + +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + +The following limitations exist for Repair-bde: + +- it can't repair a drive that failed during the encryption or decryption process +- it assumes that if the drive has any encryption, then the drive is fully encrypted + +For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). + +## Using BitLocker to encrypt volumes + +BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. + +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. + +> [!NOTE] +> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. + +`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). + +`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command. + +Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. + +## Example: check the BitLocker status + +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. + +Follow the instructions below verify the status of BitLocker, selecting the tool of your choice. + +#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) + +To determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example: + +```powershell +PS C:\> Get-BitLockerVolume C: | fl + +ComputerName : DESKTOP +MountPoint : C: +EncryptionMethod : XtsAes128 +AutoUnlockEnabled : +AutoUnlockKeyStored : False +MetadataVersion : 2 +VolumeStatus : FullyEncrypted +ProtectionStatus : On +LockStatus : Unlocked +EncryptionPercentage : 100 +WipePercentage : 0 +VolumeType : OperatingSystem +CapacityGB : 1000 +KeyProtector : {Tpm, RecoveryPassword} +``` + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +With `manage-bde.exe` you can determine the volume status on the target system, for example: + +`manage-bde.exe -status` + +This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume. + +```cmd +C:\>manage-bde -status + +Volume C: [Local Disk] +[OS Volume] + + Size: 1000 GB + BitLocker Version: 2.0 + Conversion Status: Used Space Only Encrypted + Percentage Encrypted: 100.0% + Encryption Method: XTS-AES 128 + Protection Status: Protection On + Lock Status: Unlocked + Identification Field: Unknown + Key Protectors: + TPM + Numerical Password +``` + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) + +Checking BitLocker status with the control panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include: + +| Status | Description | +| - | - | +| **On**|BitLocker is enabled for the volume | +| **Off**| BitLocker isn't enabled for the volume | +| **Suspended** | BitLocker is suspended and not actively protecting the volume | +| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| + +If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status. + +--- + +## Example: enable BitLocker + +#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) + +The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: + +```powershell +Enable-BitLocker C: +``` + +In the next example, we add one more protector, the *StartupKey* protector, and choose to skip the BitLocker hardware test. Encryption starts immediately without the need for a reboot: + +```powershell +Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest +``` + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +Using only the `manage-bde.exe -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, you may require more secure protectors such as passwords or PIN, and expect to be able to recover information with a recovery key. + +### Enable BitLocker with a TPM only + +It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command: + +```cmd +manage-bde.exe -on C: +``` + +This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command: + +```cmd +manage-bde.exe -protectors -get +``` + +### Provisioning BitLocker with two protectors + +Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command: + +```cmd +manage-bde.exe -protectors -add C: -pw -sid +``` + +This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. + +A common protector for a data volume is the password protector. In the next example, a password protector is added to the volume and turn on BitLocker. + +```powershell +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: +``` +### Enabling BitLocker without a TPM + +Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption: + +```powershell +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: +``` + +If prompted, reboot the computer to complete the encryption process. + +### Data volume commands + +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: + +```cmd +manage-bde.exe -on +``` + +Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume. + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) + +Encrypting volumes with the BitLocker control panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. + +To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume). + +### Operating system volume + +For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions: + +1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: + + If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. + +2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped. + +3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if: + + - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption + - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up + + A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive. + + The recovery key can be stored using the following methods: + + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + + The recovery key can't be stored at the following locations: + + - The drive being encrypted + - The root directory of a non-removable/fixed drive + - An encrypted volume + + > [!TIP] + > Ideally, a computer's recovery key should be stored separate from the computer itself. + + > [!NOTE] + > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key. + +4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + + Each of the methods is recommended in the following scenarios: + + - **Encrypt used disk space only**: + + - The drive has never had data + - Formatted or erased drives that in the past have never had confidential data that was never encrypted + + - **Encrypt entire drive** (full disk encryption): + + - Drives that currently have data + - Drives that currently have an operating system + - Formatted or erased drives that in the past had confidential data that was never encrypted + + > [!IMPORTANT] + > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. + +After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume. + +Users can check encryption status by checking the system notification area or the BitLocker control panel. + +Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. + +### Data volume + +Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**. + +1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed + +2. A choice of authentication methods to unlock the drive appears. The available options are: + + - **Use a password to unlock the drive** + - **Use my smart card to unlock the drive** + - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked. + +3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes: + + - **Save to your Azure AD account** (if applicable) + - **Save to a USB flash drive** + - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive + - **Print the recovery key** + +4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes: + + - **Encrypt used disk space only** - Encrypts only disk space that contains data. + - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption. + +5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode: + + - **New encryption mode** + - **Compatible mode** + + Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**. + +6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption. + +Encryption status displays in the notification area or within the BitLocker control panel. + +### OneDrive option + +There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain. + +Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. + +### Using BitLocker within Windows Explorer + +Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. + +--- + +## Manage BitLocker protectors + +Follow the instructions below manage BitLocker protectors, selecting the option that best suits your needs. + +#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) + +To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed. + +The following commands return the list of key protectors and GUIDS: + +```PowerShell +$vol = Get-BitLockerVolume C: +$keyprotectors = $vol.KeyProtector +$keyprotectors +``` + +By using this information, the key protector for a specific volume can be removed using the command: + +```powershell +Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" +``` + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user-defined password. + +```powershell +$pw = Read-Host -AsSecureString + +Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw +``` + +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. + +The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster. + +> [!WARNING] +> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes. + +To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G. + +```powershell +Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator +``` + +For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: + +```powershell +Get-ADUser -filter {samaccountname -eq "administrator"} +``` + +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. + +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features. + +In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: + +```powershell +Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" +``` + +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. + +For Azure AD-joined computers, the recovery password should be stored in Azure AD. + +**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* + +```powershell +Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector + +$BLV = Get-BitLockerVolume -MountPoint "C:" + +BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId +``` + +For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). + +**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker* + +```powershell +Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector + +$BLV = Get-BitLockerVolume -MountPoint "C:" + +Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId +``` + +PowerShell can then be used to enable BitLocker: + +**Example**: *Use PowerShell to enable BitLocker with a TPM protector* + +```powershell +Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector +``` + +**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456* + +```powershell +$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force + +Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector +``` + + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume. + +The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process. + +```cmd +manage-bde.exe -protectors -add C: -startupkey E: +manage-bde.exe -on C: +``` + +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. + +An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command: + +```cmd +manage-bde.exe -protectors -add C: -pw -sid +``` + +The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on. + +On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command: + +```cmd +manage-bde.exe -on C: +``` + +The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command: + +```cmd + manage-bde.exe -protectors -get +``` + +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: + +`manage-bde.exe -on ` + +or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume. + +A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on. + +```cmd +manage-bde.exe -protectors -add -pw C: +manage-bde.exe -on C: +``` + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) + +Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. +The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. + +Once BitLocker protector activation is completed, the completion notice is displayed. + +--- + +### Decrypt volumes + +Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step. + +#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) + +Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. + +Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: + +```powershell +Disable-BitLocker +``` + +If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: + +```powershell +Disable-BitLocker -MountPoint E:,F:,G: +``` + +#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) + +Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: + +```powershell +manage-bde.exe -off C: +``` + +This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: + +```powershell +manage-bde.exe -status C: +``` + +#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) + +BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process. +After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. + +The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. + +Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. + +--- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/plan.md b/windows/security/operating-system-security/data-protection/bitlocker/plan.md index fa50e850db..59d04fe105 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/plan.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/plan.md @@ -200,13 +200,115 @@ The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc` For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). +## Provisioning BitLocker during operating system deployment + +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. + +## Deploy hard drive encryption + +BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. Administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker. + +## Used Disk Space Only encryption + +To reduce encryption time, BitLocker lets users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty aren't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent. + +Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. + +## Encrypted hard drive support + +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the device's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. + +For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md). + +## Preboot information protection + +An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. + +It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. + +Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). + +## Manage passwords and PINs + +When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. + +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. + +Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. + +For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md). + +## Configure Network Unlock + +Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. + +Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). +Network Unlock requires the following infrastructure: + +- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) + +- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role + +- A server with the DHCP server role installed + +For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](network-unlock.md). + +## Microsoft BitLocker administration and monitoring + +Enterprises can use Microsoft Entra ID, Microsoft Intune and Configuration Manager for BitLocker administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor). --> +## BitLocker Device Encryption -## Related articles +Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. -- [BitLocker frequently asked questions (FAQ)](faq.yml) -- [BitLocker](index.md) -- [BitLocker policy settings](policy-settings.md) -- [BitLocker basic deployment](bitlocker-basic-deployment.md) +Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically: + +- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. + +- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials. + +- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS: + + *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** + + With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. + +- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. + +Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: + +- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` +- **Type**: `REG_DWORD` +- **Value**: `PreventDeviceEncryption` equal to `1` (True) + +> [!NOTE] +> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. + +*Device Encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device Encryption is available on all Windows versions, including Home edition, but requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access. + +Device Encryption encrypts the data on a device immediately, but doesn't enable protection until the key is safely backed up to the user's Microsoft account. The encrypted device is left in a *clear key* state, where the encryption key is stored in plain text on the volume to allow free access to the data. Even though the data is encrypted, the device is completely unprotected in this state. In this *clear key* state, `manage-bde.exe` will show data as encrypted, but **Protection Off**, and no protectors yet added. Device encription-capable devices are in this state if no Microsoft account user signs in as an administrator of the device. Connecting to a Microsoft account and the internet causes the recovery key to back up, protector to be added (using the device's TPM), and protection to be enabled. + +Difference between BitLocker and Device Encryption (DE): + +- Device Encryption turn BitLocker on automatically on Device Encryption-qualifying devices, with the recovery key automatically backed up to the user's Microsoft account +- Device Encryption adds a Device Encryption setting in the Settings app + +Device Encryption facts: + +- Device Encryption enables BitLocker automatically once a Microsoft Account is signed in to the device and the recovery key gets successfully backed up to the user's account + - On Windows Home edition, Device Encryption enables BitLocker with limited management capabilities (via the BitLocker Control Panel applet only) + - On other Windows versions where *full* BitLocker is present, Device Encryption's effect is to turn BitLocker on automatically instead of waiting for manual activation + +- If a device uses only local accounts, then it remains unprotected even though the data is encrypted +- Device Encryption has a UI in the Settings app to turn it on/off +- If Device Encryption is turned off, it will no longer automatically enable itself in the future. The user must enable it manually in Settings +- If a device doesn't initially qualify for Device Encryption, but then a change is made that causes the device to qualify (for example, turn Secure Boot on), Device Encryption will enable BitLocker automatically as soon as it detects it (if Device Encryption wasn't previously turned off) +- Device Encryption is enabled as soon as the device completes OOBE, but the work to encrypt all existing data waits for both AC power and idle time to start the actual encryption, therefore full protection may not be complete immediately. In most cases, encryption takes only minutes to complete + +- The Settings UI will not show Device Encryption enabled until encryption is complete +- manage-bde.exe is available and has all capabilities on all versions of Windows +- Device Encryption encrypts only fixed drives, will not encrypt external/USB drives + +You can check whether a device meets requirements for Device Encryption in the System Information app (msinfo32.exe). (see below for more) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md index 497ce21721..b812569735 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md @@ -141,4 +141,4 @@ If a device isn't compliant with the configured policy settings, BitLocker may n If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password but then policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [`manage-bde`](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed. -In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [`manage-bde`](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance. \ No newline at end of file +In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [`manage-bde`](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md index 24bf776ecd..fcf0720f3a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md @@ -28,7 +28,7 @@ BitLocker recovery is the process by which access to a BitLocker-protected drive The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On devices that use BitLocker drive encryption or [BitLocker Device Encryption](bitlocker-device-encryption.md), when an attack is detected the device will reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On devices that use BitLocker drive encryption or [Device Encryption](index.md#device-encryption), when an attack is detected the device will reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised. @@ -301,9 +301,9 @@ If the USB flash drive that contains the startup key has been lost, then drive m This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time. -## Windows RE and BitLocker Device Encryption +## Windows RE and Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption.md). If a device is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [Device Encryption](index.md#device-encryption). If a device is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. @@ -416,7 +416,6 @@ There are rules governing which hint is shown during the recovery (in the order | Creation time | **1PM** | | Key ID | A564F193 | - | Custom URL | No | |----------------------------|----------| | Saved to Microsoft Account | No | @@ -507,7 +506,6 @@ The recovery password and be invalidated and reset in two ways: > [!WARNING] > The braces `{}` must be included in the ID string. - ## Retrieve the BitLocker key package Two methods can be used to retrieve the key package as described in Using Additional Recovery Information: @@ -519,7 +517,6 @@ Export a new key package from an unlocked, BitLocker-protected volume. Local adm strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword") strKeyPackage = objFveInfo.Get("msFVE-KeyPackage") - ### Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device ``` PowerShell @@ -569,7 +566,6 @@ Device name: DESKTOP-53O32QI BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 ``` - ### Repair tool The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier