deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 21:33:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-bitlocker-basic-deployment-1Sep

Browse Source
This commit is contained in:
Siddarth Mandalika
2021-03-04 14:35:10 +05:30
committed by GitHub
parent e58ef99c03 b1f47a8e30
commit 61ad40139d
1991 changed files with 86540 additions and 15135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/information-protection/TOC.md
View File

@ -3,9 +3,9 @@
## [BitLocker](bitlocker\bitlocker-overview.md)
### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md)
#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.yml)
#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml)
#### [Key management](bitlocker\bitlocker-key-management-faq.md)
#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md)
#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md)

101
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
View File

@ -1,101 +0,0 @@
---
title: BitLocker deployment and administration FAQ (Windows 10)
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ)
**Applies to**
- Windows 10
## Can BitLocker deployment be automated in an enterprise environment?
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
## Can BitLocker encrypt more than just the operating system drive?
Yes.
## Is there a noticeable performance impact when BitLocker is enabled on a computer?
Generally it imposes a single-digit percentage performance overhead.
## How long will initial encryption take when BitLocker is turned on?
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
## What happens if the computer is turned off during encryption or decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
## How can I prevent users on a network from storing data on an unencrypted drive?
You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
## What is Used Disk Space Only encryption?
BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
## What system changes would cause the integrity check on my operating system drive to fail?
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
## What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
## What can prevent BitLocker from binding to PCR 7?
BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
## Why is "Turn BitLocker on" not available when I right-click a drive?
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
## What type of disk configurations are supported by BitLocker?
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.

96
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml Normal file
View File

@ -0,0 +1,96 @@
### YamlMime:FAQ
metadata:
title: BitLocker deployment and administration FAQ (Windows 10)
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: Can BitLocker deployment be automated in an enterprise environment?
answer: |
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps).
- question: Can BitLocker encrypt more than just the operating system drive?
answer: Yes.
- question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
- question: How long will initial encryption take when BitLocker is turned on?
answer: |
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
- question: What happens if the computer is turned off during encryption or decryption?
answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
- question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
- question: How can I prevent users on a network from storing data on an unencrypted drive?
answer: |
You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
- question: What is Used Disk Space Only encryption?
answer: |
BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
- question: What system changes would cause the integrity check on my operating system drive to fail?
answer: |
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- Moving the BitLocker-protected drive into a new computer.
- Installing a new motherboard with a new TPM.
- Turning off, disabling, or clearing the TPM.
- Changing any boot configuration settings.
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
- question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
answer: |
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
- question: What can prevent BitLocker from binding to PCR 7?
answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
- question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
- question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
- question: Why is "Turn BitLocker on" not available when I right-click a drive?
answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
- question: What type of disk configurations are supported by BitLocker?
answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.

3
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -82,6 +82,9 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems
Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
> [!NOTE]
> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.

4
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -25,9 +25,9 @@ ms.custom: bitlocker
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.md)
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.md)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md)

7
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -20,9 +20,9 @@ ms.custom: bitlocker
# BitLocker Group Policy settings
**Applies to**
**Applies to:**
- Windows 10
- Windows 10, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
@ -37,6 +37,9 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
> [!NOTE]
> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

365
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -1,6 +1,6 @@
---
title: BitLocker How to enable Network Unlock (Windows 10)
description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
title: BitLocker - How to enable Network Unlock (Windows 10)
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
ms.reviewer:
ms.prod: w10
@ -23,178 +23,168 @@ ms.custom: bitlocker
**Applies to**
- Windows 10
This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
This article for IT professionals describes how BitLocker Network Unlock works and how to configure it.
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers.
This topic contains:
- [Network Unlock core requirements](#bkmk-nunlockcorereqs)
- [Network Unlock sequence](#bkmk-networkunlockseq)
- [Configure Network Unlock](#bkmk-configuringnetworkunlock)
- [Create the certificate template for Network Unlock](#bkmk-createcerttmpl)
- [Turning off Network Unlock](#bkmk-turnoffnetworkunlock)
- [Update Network Unlock certificates](#bkmk-updatecerts)
- [Troubleshoot Network Unlock](#bkmk-troubleshoot)
- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems)
Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session.
## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include:
Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems:
- You must be running at least Windows 8 or Windows Server 2012.
- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
- Network Unlock clients must have a TPM chip and at least one TPM protector.
- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
- BitLocker Network Unlock optional feature installed on any supported server operating system.
- A DHCP server, separate from the WDS server.
- Properly configured public/private key pairing.
- Network Unlock Group Policy settings configured.
- Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client.
- Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector.
- You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system.
- The BitLocker Network Unlock optional feature can be installed on any supported server operating system.
- You must have a DHCP server, separate from the WDS server.
- You must have a properly configured public/private key pairing.
- Network Unlock Group Policy settings must be configured.
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer.
> [!NOTE]
> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock.
Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement.
Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server.
Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server.
The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key.
## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients.
![bitlocker network unlock sequence](images/bitlockernetworkunlocksequence.png)
Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
**Phases in the Network Unlock process**
![Diagram showing the BitLocker network unlock sequence.](images/bitlockernetworkunlocksequence.png)
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
The Network Unlock process follows these phases:
1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
3. The client computer broadcasts a vendor-specific DHCP request that contains:
1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
2. An AES-256 session key for the reply.
- A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server.
- An AES-256 session key for the reply.
4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
5. The provider decrypts it with the WDS servers BitLocker Network Unlock certificate RSA private key.
6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key.
7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM.
5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
8. This combined key is used to create an AES-256 key that unlocks the volume.
9. Windows continues the boot sequence.
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012.
### <a href="" id="bkmk-installwdsrole"><a/>Install the WDS Server role
### <a href="" id="bkmk-installwdsrole"></a>Install the WDS server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role.
To install the role using Windows PowerShell, use the following command:
To install the role by using Windows PowerShell, use the following command:
```powershell
Install-WindowsFeature WDS-Deployment
```
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard.
### <a href="" id="bkmk-confirmwdsrunning"><a/>Confirm the WDS Service is running
### <a href="" id="bkmk-confirmwdsrunning"></a>Confirm the WDS service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service.
To confirm the service is running using Windows PowerShell, use the following command:
To confirm the service is running by using Windows PowerShell, use the following command:
```powershell
Get-Service WDSServer
```
### <a href="" id="bkmk-installnufeature"><a/>Install the Network Unlock feature
### <a href="" id="bkmk-installnufeature"></a>Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**.
To install the feature using Windows PowerShell, use the following command:
To install the feature by using Windows PowerShell, use the following command:
```powershell
Install-WindowsFeature BitLocker-NetworkUnlock
```
### <a href="" id="bkmk-createcerttmpl"><a/>Create the certificate template for Network Unlock
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template:
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
1. Open the certificate template snap-in (`certtmpl.msc`).
2. Locate the user template. Right-click the template name, and then select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**.
5. Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
7. Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**.
9. Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**.
10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**.
11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**.
12. In the **Edit Application Policies Extension** dialog box, select **Add**.
13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy.
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
- **Name**: **BitLocker Network Unlock**
- **Object Identifier**: **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**.
15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock.
### <a href="" id="bkmk-createcert"><a/>Create the Network Unlock certificate
### <a href="" id="bkmk-createcert"></a>Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
To enroll a certificate from an existing certification authority (CA), do the following:
To enroll a certificate from an existing certificate authority:
1. Open Certificate Manager on the WDS server using **certmgr.msc**
2. Under the Certificates - Current User item, right-click Personal
3. Select All Tasks, then **Request New Certificate**
4. Select **Next** when the Certificate Enrollment wizard opens
5. Select Active Directory Enrollment Policy
6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate:
1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
2. Under **Certificates - Current User**, right-click **Personal**.
3. Select **All Tasks** > **Request New Certificate**.
4. When the Certificate Enrollment wizard opens, select **Next**.
5. Select **Active Directory Enrollment Policy**.
6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**.
1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*.
7. Create the certificate. Ensure the certificate appears in the **Personal** folder.
8. Export the public key certificate for Network Unlock:
- Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain"
7. Create the certificate. Ensure the certificate appears in the Personal folder.
8. Export the public key certificate for Network Unlock
1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
1. Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**.
2. Select **No, do not export the private key**.
3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
4. Give the file a name such as BitLocker-NetworkUnlock.cer.
9. Export the public key with a private key for Network Unlock
1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
3. Select **DER encoded binary X.509**, and then finish exporting the certificate to a file.
4. Give the file a name, such as *BitLocker-NetworkUnlock.cer*.
9. Export the public key with a private key for Network Unlock:
1. Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**.
2. Select **Yes, export the private key**.
3. Complete the wizard to create the .pfx file.
3. Complete the steps to create the *.pfx* file.
To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq.
To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`.
Windows PowerShell example:
Here's a Windows PowerShell example:
```powershell
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
```
Certreq example:
Here's a `certreq` example:
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
1. Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*.
2. Add the following contents to the previously created file:
```ini
@ -216,176 +206,183 @@ Certreq example:
_continue_ = "1.3.6.1.4.1.311.67.1.1"
```
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
3. Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name.
```cmd
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
4. Verify the previous command properly created the certificate by confirming the .cer file exists.
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
4. Verify the previous command properly created the certificate by confirming the *.cer* file exists.
5. Launch **Certificates - Local Machine** by running `certlm.msc`.
6. Create a *.pfx* file by opening the *Certificates Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file.
### <a href="" id="bkmk-deploycert"><a/>Deploy the private key and certificate to the WDS server
### <a href="" id="bkmk-deploycert"></a>Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**.
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer.
2. Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**.
3. In the **File to Import** dialog box, choose the *.pfx* file that you created previously.
4. Enter the password that you used to create the *.pfx* file, and finish the steps.
### Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC.
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
To enable the Group Policy setting that's required to configure Network Unlock:
1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** or **Allow startup PIN with TPM** option.
1. Open Group Policy Management Console (`gpmc.msc`).
2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting:
To deploy the required Group Policy setting:
> [!NOTE]
> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
1. Copy the *.cer* file that you created for Network Unlock to the domain controller.
2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
4. Deploy the public certificate to clients:
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
1. In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*.
2. Right-click the folder, and then choose **Add Network Unlock Certificate**.
3. Follow the steps and import the *.cer* file that you copied earlier.
> [!NOTE]
> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
> [!NOTE]
> Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer.
5. Reboot the clients after deploying the group policy.
5. Reboot the clients after you deploy the Group Policy.
> [!NOTE]
> The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
> The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store.
### Subnet policy configuration files on WDS Server (Optional)
### Subnet policy configuration files on the WDS server (optional)
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking.
The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests.
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections.
Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names.
```ini
[SUBNETS]
SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate.
> [!NOTE]
> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail.
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate.
So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section.
Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies.
To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon.
```ini
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
SUBNET1
;SUBNET2
SUBNET3
```
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
## <a href="" id="bkmk-turnoffnetworkunlock"><a/>Turning off Network Unlock
## <a href="" id="bkmk-turnoffnetworkunlock"></a>Turn off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain.
> [!NOTE]
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server.
## <a href="" id="bkmk-updatecerts"><a/>Update Network Unlock certificates
## <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller.
> [!NOTE]
> Servers that do not receive the Group Policy Object (GPO) will require a PIN when booting. In such cases, the reason why the server did not receive the GPO to update the certificate needs to be investigated.
> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items:
- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
- All required roles and services are installed and started
- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
- Group policy for Network Unlock is enabled and linked to the appropriate domains.
- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
- Verify the clients were rebooted after applying the policy.
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer:
- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode.
- All required roles and services are installed and started.
- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer.
- Group Policy for Network Unlock is enabled and linked to the appropriate domains.
- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility.
- The clients were rebooted after the policy was applied.
- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer.
```powershell
manage-bde -protectors -get C:
```
> [!NOTE]
> Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
> Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
Files to gather when troubleshooting BitLocker Network Unlock include:
Gather the following files to troubleshoot BitLocker Network Unlock.
1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log
- The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.
Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging.
Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging.
1. Start an elevated command prompt and run the following command:
- Start an elevated command prompt, and then run the following command:
```cmd
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
```
2. Open Event Viewer on the WDS server.
- Open Event Viewer on the WDS server:
In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**.
1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
1. In the right pane, select **Enable Log**.
In the right pane, click **Enable Log**.
2. The DHCP subnet configuration file (if one exists).
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
- The DHCP subnet configuration file (if one exists).
- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008.
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
**Requirements**
Your system must meet these requirements:
- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic.
- Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
- The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
- Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.
The following steps can be used to configure Network Unlock on these older systems.
Follow these steps to configure Network Unlock on these older systems.
1. [Install the WDS Server role](#bkmk-installwdsrole)
2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning)
3. [Install the Network Unlock feature](#bkmk-installnufeature)
4. [Create the Network Unlock certificate](#bkmk-createcert)
5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert)
1. [Install the WDS server role.](#bkmk-installwdsrole)
2. [Confirm the WDS service is running.](#bkmk-confirmwdsrunning)
3. [Install the Network Unlock feature.](#bkmk-installnufeature)
4. [Create the Network Unlock certificate.](#bkmk-createcert)
5. [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert)
6. Configure registry settings for Network Unlock:
Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
```console
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
```
Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article.
7. Set up a TPM protector on the clients
8. Reboot the clients to add the Network (Certificate Based) protector
```console
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
```
7. Set up a TPM protector on the clients.
8. Reboot the clients to add the **Network (Certificate Based)** protector.
## See also

82
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
View File

@ -1,82 +0,0 @@
---
title: BitLocker overview and requirements FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Overview and Requirements FAQ
**Applies to**
- Windows 10
## How does BitLocker work?
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
## Does BitLocker support multifactor authentication?
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
## What are the BitLocker hardware and software requirements?
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
> [!NOTE]
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
## Why are two partitions required? Why does the system drive have to be so large?
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
## Which Trusted Platform Modules (TPMs) does BitLocker support?
BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## How can I tell if a TPM is on my computer?
Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
## Can I use BitLocker on an operating system drive without a TPM?
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
## How do I obtain BIOS support for the TPM on my computer?
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
## What credentials are required to use BitLocker?
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
## What is the recommended boot order for computers that are going to be BitLocker-protected?
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

82
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml Normal file
View File

@ -0,0 +1,82 @@
### YamlMime:FAQ
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: How does BitLocker work?
answer: |
**How BitLocker works with operating system drives**
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
**How BitLocker works with fixed and removable data drives**
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
- question: Does BitLocker support multifactor authentication?
answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
- question: What are the BitLocker hardware and software requirements?
answer: |
For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
> [!NOTE]
> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
- question: Why are two partitions required? Why does the system drive have to be so large?
answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
- question: Which Trusted Platform Modules (TPMs) does BitLocker support?
answer: |
BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
- question: How can I tell if a TPM is on my computer?
answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading.
- question: Can I use BitLocker on an operating system drive without a TPM?
answer: |
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
- question: How do I obtain BIOS support for the TPM on my computer?
answer: |
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- It is compliant with the TCG standards for a client computer.
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
- question: What credentials are required to use BitLocker?
answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
- question: What is the recommended boot order for computers that are going to be BitLocker-protected?
answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 

6
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
> [!IMPORTANT]
> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/).
> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@ -74,6 +74,8 @@ The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives).
When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
@ -97,5 +99,3 @@ When installing the BitLocker optional component on a server you will also need
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |

14
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
ms.reviewer:
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the Microsoft Account and the custom URL are displayed.
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG)
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png)
#### Example 2 (single recovery key with single backup)
@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the custom URL is displayed.
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG)
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png)
#### Example 3 (single recovery key with multiple backups)
@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the Microsoft Account hint is displayed.
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG)
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png)
#### Example 4 (multiple recovery passwords)
@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG)
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png)
#### Example 5 (multiple recovery passwords)
@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the most recent key is displayed.
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG)
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png)
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
@ -484,7 +484,7 @@ You can reset the recovery password in two ways:
> [!WARNING]
> You must include the braces in the ID string.
**To run the sample recovery password script:**
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.

2
windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.author: v-maave
author: martyav
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance

0
windows/security/information-protection/bitlocker/images/rp-example1.PNG → windows/security/information-protection/bitlocker/images/rp-example1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 118 KiB

0
windows/security/information-protection/bitlocker/images/rp-example2.PNG → windows/security/information-protection/bitlocker/images/rp-example2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example3.PNG → windows/security/information-protection/bitlocker/images/rp-example3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 96 KiB

After

Width:  |  Height:  |  Size: 96 KiB

0
windows/security/information-protection/bitlocker/images/rp-example4.PNG → windows/security/information-protection/bitlocker/images/rp-example4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/information-protection/bitlocker/images/rp-example5.PNG → windows/security/information-protection/bitlocker/images/rp-example5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 91 KiB

27
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
ms.reviewer: kaushika
ms.technology: windows
@ -16,7 +16,6 @@ ms.date: 10/18/2019
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@ -38,8 +37,10 @@ To resolve this issue, follow these steps:
1. Open an elevated PowerShell window and run the following script:
```ps
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
@ -67,7 +68,7 @@ To resolve this issue, disable and re-enable the TPM. To do this, follow these s
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
> Clearing the TPM can cause data loss.
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
@ -79,7 +80,7 @@ The TPM did not have sufficient permissions on the TPM Devices container in Acti
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution
### Resolution
To verify that you have correctly identified this issue, use one of the following methods:
@ -88,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```ps
```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
@ -98,7 +99,7 @@ To verify that you have correctly identified this issue, use one of the followin
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
@ -115,14 +116,14 @@ The domain and forest functional level of the environment may still be set to Wi
To resolve this issue, follow these steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
1. In the script, modify the value of **strPathToDomain** to your domain name.
1. Open an elevated PowerShell window, and run the following command:
2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
3. In the script, modify the value of **strPathToDomain** to your domain name.
4. Open an elevated PowerShell window, and run the following command:
```ps
```powershell
cscript <Path>Add-TPMSelfWriteACE.vbs
```
In this command \<*Path*> is the path to the script file.
For more information, see the following articles:

2
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

4
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: Explore
ms.pagetype: security
ms.sitesec: library
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@ -84,7 +84,7 @@ These requirements help protect you from rootkits while allowing you to run any
- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.

2
windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/change-the-tpm-owner-password.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

6
windows/security/information-protection/tpm/tpm-fundamentals.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -151,5 +151,5 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/)
- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
- [TPM WMI providers](https://docs.microsoft.com/windows/win32/secprov/security-wmi-providers-reference)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#tpm-hardware-configurations)

2
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/tpm/trusted-platform-module-top-node.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

4
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -1,5 +1,5 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -1,11 +1,11 @@
---
title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the `
For example:
```console
URL <,proxy>|URL <,proxy>/*AppCompat*/
URL <,proxy>|URL <,proxy>|/*AppCompat*/
```
When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

2
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

4
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|

10
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -23,11 +23,11 @@ ms.date: 02/26/2019
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

4
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

4
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:

2
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro

2
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro