From 6cc5d49b5b57ecf583e72273c08b6bc977c49727 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 14:51:12 +0530 Subject: [PATCH 1/9] Update bl-ovw-req-4318240 Made minor changes - 4318240 --- ...bitlocker-overview-and-requirements-faq.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 7f9715b9c0..13b28c1fb9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -25,50 +25,50 @@ ms.custom: bitlocker ## How does BitLocker work? -**How BitLocker works with operating system drives** +**How does BitLocker work with operating system drives** -You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. +You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and Boot Configuration Data (BCD). -**How BitLocker works with fixed and removable data drives** +**How does BitLocker work with fixed and removable data drives** -You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. +You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. ## Does BitLocker support multifactor authentication? -Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. +Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later versions, you can use additional forms of authentication with the TPM protection. ## What are the BitLocker hardware and software requirements? For requirements, see [System requirements](bitlocker-overview.md#system-requirements). > [!NOTE] -> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker. +> Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. ## Why are two partitions required? Why does the system drive have to be so large? -Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. +Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a partition that is separate from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. -## Which Trusted Platform Modules (TPMs) does BitLocker support? +## Which trusted platform modules (TPMs) does BitLocker support? -BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. +BitLocker supports TPM version 1.2 or higher. BitLocker's support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. > [!NOTE] -> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. +> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which prepares the OS and the disk to support UEFI. ## How can I tell if a TPM is on my computer? Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. -## Can I use BitLocker on an operating system drive without a TPM? +## Can I use BitLocker on an operating system drive that does not have a TPM? -Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. +Yes, you can enable BitLocker on an operating system drive that does not have a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker provides. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. ## How do I obtain BIOS support for the TPM on my computer? -Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: +Contact the computer manufacturer to request a trusted computing group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: - It is compliant with the TCG standards for a client computer. - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. @@ -79,4 +79,4 @@ To turn on, turn off, or change configurations of BitLocker on operating system ## What is the recommended boot order for computers that are going to be BitLocker-protected? -You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  +You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first in the order and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order prompts you for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  From 4d837887e0268751ab2db805e3a3da08266bd34f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 15:53:46 +0530 Subject: [PATCH 2/9] Update bitlocker-overview-and-requirements-faq.md --- .../bitlocker-overview-and-requirements-faq.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 13b28c1fb9..eef3b2f226 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -27,19 +27,19 @@ ms.custom: bitlocker **How does BitLocker work with operating system drives** -You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and Boot Configuration Data (BCD). +You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and Boot Configuration Data (BCD). For further information, see [BitLocker overview] (bitlocker-deviceencryption-overview.md#internal-drive-encryption). **How does BitLocker work with fixed and removable data drives** -You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. +You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. For more information, see [BitLocker overview](bitlocker-deviceencryption-overview.md). ## Does BitLocker support multifactor authentication? -Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later versions, you can use additional forms of authentication with the TPM protection. +Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later versions, you can use additional forms of authentication with the TPM protection. This includes the use of a password, a PIN, or a removable storage device. ## What are the BitLocker hardware and software requirements? -For requirements, see [System requirements](bitlocker-overview.md#system-requirements). +For requirements, see [System requirements](bitlocker-deviceencryption-overview.md#system-requirements-BitLocker). > [!NOTE] > Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. @@ -63,8 +63,12 @@ Beginning with Windows 10, version 1803, you can check TPM status in **Windows D ## Can I use BitLocker on an operating system drive that does not have a TPM? -Yes, you can enable BitLocker on an operating system drive that does not have a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker provides. -To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. +Yes, you can enable BitLocker on an operating system drive that does not have a TPM version 1.2 or higher, which can be done through the following options: +- If the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment, you can use a removable disk. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. + +- You can use a password or a PIN to unlock the encrypted disk–This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or a USB flash drive containing the BitLocker startup key for that computer. + +- In addition to the above two options, the volume master key can be encrypted with a password or a PIN so that it can be displayed in a decrypted version when the user keys in the password. ## How do I obtain BIOS support for the TPM on my computer? From 28ce946dab57018fd1b8369f30e9009e2cf5b149 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Tue, 29 Sep 2020 12:58:07 +0530 Subject: [PATCH 3/9] Reviewed_bitlocker-overview-and-requirements-faq.md (#3883) --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index eef3b2f226..2894fbd5ab 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -27,7 +27,11 @@ ms.custom: bitlocker **How does BitLocker work with operating system drives** -You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and Boot Configuration Data (BCD). For further information, see [BitLocker overview] (bitlocker-deviceencryption-overview.md#internal-drive-encryption). +You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by: +- Encrypting all user files and system files (including the swap files and hibernation files) on the operating system drive. +- Checking the integrity of early boot components and Boot Configuration Data (BCD). + +For more information, see [BitLocker overview] (bitlocker-deviceencryption-overview.md#internal-drive-encryption). **How does BitLocker work with fixed and removable data drives** @@ -43,6 +47,7 @@ For requirements, see [System requirements](bitlocker-deviceencryption-overview. > [!NOTE] > Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. +**Question - The above statement is not clear**. ## Why are two partitions required? Why does the system drive have to be so large? @@ -66,7 +71,7 @@ Beginning with Windows 10, version 1803, you can check TPM status in **Windows D Yes, you can enable BitLocker on an operating system drive that does not have a TPM version 1.2 or higher, which can be done through the following options: - If the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment, you can use a removable disk. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. -- You can use a password or a PIN to unlock the encrypted disk–This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or a USB flash drive containing the BitLocker startup key for that computer. +- You can use a password or a PIN to unlock the encrypted disk. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or a USB flash drive containing the BitLocker startup key for that computer. - In addition to the above two options, the volume master key can be encrypted with a password or a PIN so that it can be displayed in a decrypted version when the user keys in the password. From 53e561c58de49752ffcbfd6e0b71c4b95b9d8f37 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 29 Sep 2020 16:40:59 +0530 Subject: [PATCH 4/9] Update bitlocker-overview-and-requirements-faq.md --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 2894fbd5ab..67965a1d33 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -35,7 +35,7 @@ For more information, see [BitLocker overview] (bitlocker-deviceencryption-overv **How does BitLocker work with fixed and removable data drives** -You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. For more information, see [BitLocker overview](bitlocker-deviceencryption-overview.md). +You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. For more information, see [BitLocker overview](bitlocker-device-encryption-overview-windows-10.md). ## Does BitLocker support multifactor authentication? @@ -43,7 +43,7 @@ Yes, BitLocker supports multifactor authentication for operating system drives. ## What are the BitLocker hardware and software requirements? -For requirements, see [System requirements](bitlocker-deviceencryption-overview.md#system-requirements-BitLocker). +For requirements, see [System requirements](bitlocker-device-encryption-overview-windows-10.md#system-requirements-BitLocker). > [!NOTE] > Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. From c3d11725fd1158e6b8c9bb3f98091b8e2391980c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 29 Sep 2020 17:16:41 +0530 Subject: [PATCH 5/9] Update bitlocker-overview-and-requirements-faq.md --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 67965a1d33..0a750974a7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -35,7 +35,7 @@ For more information, see [BitLocker overview] (bitlocker-deviceencryption-overv **How does BitLocker work with fixed and removable data drives** -You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. For more information, see [BitLocker overview](bitlocker-device-encryption-overview-windows-10.md). +You can use BitLocker to encrypt the entire content of a data drive. You can use group policy to make it mandatory for BitLocker to be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock-methods for data drives, and a data drive supports multiple unlock-methods. For more information, see [BitLocker overview](bitlocker-overview.md). ## Does BitLocker support multifactor authentication? @@ -43,7 +43,7 @@ Yes, BitLocker supports multifactor authentication for operating system drives. ## What are the BitLocker hardware and software requirements? -For requirements, see [System requirements](bitlocker-device-encryption-overview-windows-10.md#system-requirements-BitLocker). +For requirements, see [System requirements](bitlocker-overview.md#system-requirements). > [!NOTE] > Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. From 0d5c816685fc98d9b5f56a152fd3919a475e91b0 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 29 Sep 2020 17:26:51 +0530 Subject: [PATCH 6/9] Update bitlocker-overview-and-requirements-faq.md --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 0a750974a7..92b832954b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -47,7 +47,6 @@ For requirements, see [System requirements](bitlocker-overview.md#system-require > [!NOTE] > Dynamic disks are not supported by BitLocker. Dynamic data volumes are not displayed in the Control Panel. Although the operating system volume is always displayed in the Control Panel, regardless of whether it is a dynamic disk, it cannot be protected by BitLocker if it is a dynamic disk. -**Question - The above statement is not clear**. ## Why are two partitions required? Why does the system drive have to be so large? From 68325db07d6e3a981113e3594ccc3d0af1c929dc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:55:28 +0530 Subject: [PATCH 7/9] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From 79101cf25e1782746a96cdb077db3b02d26c6db2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:57:50 +0530 Subject: [PATCH 8/9] Update bitlocker-overview-and-requirements-faq.md --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 92b832954b..f1bfd48c66 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -78,8 +78,8 @@ Yes, you can enable BitLocker on an operating system drive that does not have a Contact the computer manufacturer to request a trusted computing group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: -- It is compliant with the TCG standards for a client computer. -- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. +- It is compliant with the TCG standards for a client computer. +- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. ## What credentials are required to use BitLocker? From e90b4b05b0f65abff9d4902720a564a396faa2ef Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 12:40:42 +0530 Subject: [PATCH 9/9] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index fcf11cf7d8..1ec467c8da 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -121,7 +121,7 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. +Manage-bde offers a multitude of wider options for configuring BitLocker. This provision means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. @@ -148,25 +148,25 @@ manage-bde -on C: **Enabling BitLocker with a TPM only** -It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: +It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this action is: `manage-bde -on C:` -This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command: +This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command: `manage-bde -protectors -get ` **Provisioning BitLocker with two protectors** -Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command: +Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user first adds the protectors through the following command: `manage-bde -protectors -add C: -pw -sid ` -This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on. +This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. ### Data volume -Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend adding at least one primary protector and a recovery protector to a data volume. **Enabling BitLocker with a password**