deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-03 05:26:49 -04:00
parent c16226c8b9
commit 4f6a744953
2 changed files with 10 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -12,7 +12,7 @@ This article compares the BitLocker management options between Microsoft Intune
| Requirements | Microsoft Intune | Microsoft Configuration Manager |
|--|--|--|
| *Supported Windows client editions* | Pro, Enterprise, Pro Education, Education | Pro, Enterprise, Pro Education, Education |
| *Windows server support* | | |
| *Windows server support* | | |
| *Supported domain-joined status* | Microsoft Entra joined and hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined |
| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom |
| *Cloud or on premises* | Cloud | On premises |
@ -34,9 +34,9 @@ This article compares the BitLocker management options between Microsoft Intune
| *Support for organization unique IDs* | ✅ | ✅ |
| *Self-service recovery* | ✅ | ✅ |
| *Recovery password rotation for fixed and operating environment drives* | ✅ | ✅ |
| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | |
| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | |
| *Wait to complete encryption until recovery information is backed up to Active Directory* | ✅ | ✅ |
| *Allow or deny Data Recovery Agent* | ✅ | |
| *Unlock a volume using certificate with custom object identifier* | | |
| *Allow or deny Data Recovery Agent* | ✅ | |
| *Unlock a volume using certificate with custom object identifier* | | |
| *Prevent memory overwrite on restart* | ✅ | ✅ |
| *Manage auto-unlock functionality* | ✅ | ✅ |

16
windows/security/operating-system-security/data-protection/bitlocker/plan.md
View File

@ -17,15 +17,11 @@ To plan a BitLocker deployment, understand the current environment. Perform an i
To help document the organization's current disk encryption security policies, answer the following questions:
1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker?
2. What policies exist to control recovery password and recovery key storage?
3. What are the policies for validating the identity of users who need to perform BitLocker recovery?
4. What policies exist to control who in the organization has access to recovery data?
5. What policies exist to control computer decommissioning or retirement?
- Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker?
- What policies exist to control recovery password and recovery key storage?
- What are the policies for validating the identity of users who need to perform BitLocker recovery?
- What policies exist to control who in the organization has access to recovery data?
- What policies exist to control computer decommissioning or retirement?
## Encryption keys and authentication
@ -122,7 +118,7 @@ Windows RE can also be used from boot media other than the local hard disk. If W
## BitLocker provisioning
In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.