From d90ed66543aaede0156b90493a134ca3583ad128 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Apr 2018 11:36:55 -0700 Subject: [PATCH 01/29] split requirements faq --- .../bitlocker-frequently-asked-questions.md | 56 +-------------- ...bitlocker-overview-and-requirements-faq.md | 70 +++++++++++++++++++ 2 files changed, 72 insertions(+), 54 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index b56af7542a..63b40b694c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 10/16/2017 +ms.date: 04/03/2018 --- # BitLocker frequently asked questions (FAQ) @@ -20,7 +20,7 @@ This topic for the IT professional answers frequently asked questions concerning BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. -- [Overview and requirements](#bkmk-overview) +- [Overview and requirements](bitlocker-overview-and-requirements-faq.md) - [Upgrading](#bkmk-upgrading) - [Deployment and administration](#bkmk-deploy) - [Key management](#bkmk-keymanagement) @@ -30,59 +30,7 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [BitLocker Network Unlock](#bkmk-bnusect) - [Other questions](#bkmk-other) -## Overview and requirements -### How does BitLocker work? - -**How BitLocker works with operating system drives** - -You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. - -**How BitLocker works with fixed and removable data drives** - -You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. - -### Does BitLocker support multifactor authentication? - -Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. - -### What are the BitLocker hardware and software requirements? - -For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements). - -> **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker. -  -### Why are two partitions required? Why does the system drive have to be so large? - -Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. - -### Which Trusted Platform Modules (TPMs) does BitLocker support? - -BitLocker supports TPM version 1.2 or higher. - -### How can I tell if a TPM is on my computer? - -Open the TPM MMC console (tpm.msc) and look under the **Status** heading. - -### Can I use BitLocker on an operating system drive without a TPM? - -Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. -To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. - -### How do I obtain BIOS support for the TPM on my computer? - -Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: - -- It is compliant with the TCG standards for a client computer. -- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. - -### What credentials are required to use BitLocker? - -To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. - -### What is the recommended boot order for computers that are going to be BitLocker-protected? - -You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  ## Upgrading diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md new file mode 100644 index 0000000000..71e1fdb876 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -0,0 +1,70 @@ +--- +title: BitLocker overview and requirements FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker overview and requirements FAQ + +**Applies to** +- Windows 10 + +## How does BitLocker work? + +**How BitLocker works with operating system drives** + +You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + +**How BitLocker works with fixed and removable data drives** + +You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + +## Does BitLocker support multifactor authentication? + +Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + +## What are the BitLocker hardware and software requirements? + +For requirements, see [System requirements](bitlocker-overview.md#system-requirements). + +> [!NOTE]   +> Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker. +  +## Why are two partitions required? Why does the system drive have to be so large? + +Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. + +## Which Trusted Platform Modules (TPMs) does BitLocker support? + +BitLocker supports TPM version 1.2 or higher. + +## How can I tell if a TPM is on my computer? + +Open the TPM MMC console (tpm.msc) and look under the **Status** heading. + +## Can I use BitLocker on an operating system drive without a TPM? + +Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. +To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. + +## How do I obtain BIOS support for the TPM on my computer? + +Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: + +- It is compliant with the TCG standards for a client computer. +- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + +## What credentials are required to use BitLocker? + +To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. + +## What is the recommended boot order for computers that are going to be BitLocker-protected? + +You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  \ No newline at end of file From 4317cf9976e631e4c5d74664788e25c608c703ea Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Apr 2018 11:50:27 -0700 Subject: [PATCH 02/29] split upgrade FAQ --- .../bitlocker/bitlocker-upgrading-faq.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md new file mode 100644 index 0000000000..55f1188cda --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -0,0 +1,40 @@ +--- +title: BitLocker Upgrading FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker Upgrading FAQ + +**Applies to** +- Windows 10 + +## Can I upgrade to Windows 10 with BitLocker enabled? + +Yes. + +## What is the difference between suspending and decrypting BitLocker? + +**Decrypt** completely removes BitLocker protection and fully decrypts the drive. + +**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. + +## Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? + +No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). +Users need to suspend BitLocker for Non-Microsoft software updates, such as: + +- Computer manufacturer firmware updates +- TPM firmware updates +- Non-Microsoft application updates that modify boot components + +> [!NOTE]   +> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. +  From 24fae1c96eed5977bb4e78da6c493f6d770ddba0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Apr 2018 12:38:39 -0700 Subject: [PATCH 03/29] split key mgmt FAQ --- ...ocker-deployment-and-administration-faq.md | 86 ++++++++ .../bitlocker-frequently-asked-questions.md | 191 +----------------- .../bitlocker/bitlocker-key-management-faq.md | 112 ++++++++++ 3 files changed, 200 insertions(+), 189 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md create mode 100644 windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md new file mode 100644 index 0000000000..9d12f4246d --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -0,0 +1,86 @@ +--- +title: BitLocker frequently asked questions (FAQ) (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker Deployment and Administration FAQ + +**Applies to** +- Windows 10 + +## Can BitLocker deployment be automated in an enterprise environment? + +Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps). + +## Can BitLocker encrypt more than just the operating system drive? + +Yes. + +## Is there a noticeable performance impact when BitLocker is enabled on a computer? + +Generally it imposes a single-digit percentage performance overhead. + +## How long will initial encryption take when BitLocker is turned on? + +Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. + +You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + +## What happens if the computer is turned off during encryption or decryption? + +If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + +## Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? + +No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + +## How can I prevent users on a network from storing data on an unencrypted drive? + +You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + +## What system changes would cause the integrity check on my operating system drive to fail? + +The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: + +- Moving the BitLocker-protected drive into a new computer. +- Installing a new motherboard with a new TPM. +- Turning off, disabling, or clearing the TPM. +- Changing any boot configuration settings. +- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + +## What causes BitLocker to start into recovery mode when attempting to start the operating system drive? + +Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. +For example: + +- Changing the BIOS boot order to boot another drive in advance of the hard drive. +- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. +- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. + +In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. +The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + +## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? + +Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + +## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? + +Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + +## Why is "Turn BitLocker on" not available when I right-click a drive? +Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + +## What type of disk configurations are supported by BitLocker? +Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. + + diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 63b40b694c..0f59f82df1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -21,8 +21,8 @@ This topic for the IT professional answers frequently asked questions concerning BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - [Overview and requirements](bitlocker-overview-and-requirements-faq.md) -- [Upgrading](#bkmk-upgrading) -- [Deployment and administration](#bkmk-deploy) +- [Upgrading](bitlocker-upgrading-faq.md) +- [Deployment and administration](bitlocker-deployment-and-administration-faq.md) - [Key management](#bkmk-keymanagement) - [BitLocker To Go](#bkmk-btgsect) - [Active Directory Domain Services (AD DS)](#bkmk-adds) @@ -32,193 +32,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com -## Upgrading - -### Can I upgrade to Windows 10 with BitLocker enabled? - -Yes. - -### What is the difference between suspending and decrypting BitLocker? - -**Decrypt** completely removes BitLocker protection and fully decrypts the drive. - -**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. - -### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? - -No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). -Users need to suspend BitLocker for Non-Microsoft software updates, such as: - -- Computer manufacturer firmware updates -- TPM firmware updates -- Non-Microsoft application updates that modify boot components - -> **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. -  -## Deployment and administration - -### Can BitLocker deployment be automated in an enterprise environment? - -Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](https://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx). - -### Can BitLocker encrypt more than just the operating system drive? - -Yes. - -### Is there a noticeable performance impact when BitLocker is enabled on a computer? - -Generally it imposes a single-digit percentage performance overhead. - -### How long will initial encryption take when BitLocker is turned on? - -Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. - -You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. - -### What happens if the computer is turned off during encryption or decryption? - -If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. - -### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? - -No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. - -### How can I prevent users on a network from storing data on an unencrypted drive? - -You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. - -### What system changes would cause the integrity check on my operating system drive to fail? - -The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: - -- Moving the BitLocker-protected drive into a new computer. -- Installing a new motherboard with a new TPM. -- Turning off, disabling, or clearing the TPM. -- Changing any boot configuration settings. -- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. - -### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? - -Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. -For example: - -- Changing the BIOS boot order to boot another drive in advance of the hard drive. -- Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards. -- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. - -In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. -The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. - -### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? - -Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. - -### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? - -Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. - -### Why is "Turn BitLocker on" not available when I right-click a drive? -Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. - -### What type of disk configurations are supported by BitLocker? -Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. - -## Key management - -### What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? - -For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). - -### How can the recovery password and recovery key be stored? - -The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. - -For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. - -A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. - -### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? - -You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: - -`manage-bde –protectors –delete %systemdrive% -type tpm` - -`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>` - - -### When should an additional method of authentication be considered? - -New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. -For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. - -### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? - -BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. - ->**Important:**  Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. -  -### Can the USB flash drive that is used as the startup key also be used to store the recovery key? - -While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. - -### Can I save the startup key on multiple USB flash drives? - -Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. - -### Can I save multiple (different) startup keys on the same USB flash drive? - -Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. - -### Can I generate multiple (different) startup keys for the same computer? - -You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. - -### Can I generate multiple PIN combinations? - -You cannot generate multiple PIN combinations. - -### What encryption keys are used in BitLocker? How do they work together? - -Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. - -### Where are the encryption keys stored? - -The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. - -This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. - -### Why do I have to use the function keys to enter the PIN or the 48-character recovery password? - -The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. - -When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. - -### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? - -It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. - -The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. -After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. - -### How can I determine the manufacturer of my TPM? - -You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading. - -### How can I evaluate a TPM's dictionary attack mitigation mechanism? - -The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: - -- How many failed authorization attempts can occur before lockout? -- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? -- What actions can cause the failure count and lockout duration to be decreased or reset? - -### Can PIN length and complexity be managed with Group Policy? - -Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. - -For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - ## BitLocker To Go BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md new file mode 100644 index 0000000000..a46414f9a7 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -0,0 +1,112 @@ +--- +title: BitLocker Key Management FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker Key Management FAQ + +**Applies to** +- Windows 10 + +## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? + +For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). + +## How can the recovery password and recovery key be stored? + +The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + +For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + +A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + +## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? + +You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: + +manage-bde –protectors –delete %systemdrive% -type tpm + +manage-bde –protectors –add %systemdrive% -tpmandpin 4-20 digit numeric PIN + + +## When should an additional method of authentication be considered? + +New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. +For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. + +## If I lose my recovery information, will the BitLocker-protected data be unrecoverable? + +BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. + +> [!IMPORTANT]   +> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. +  +## Can the USB flash drive that is used as the startup key also be used to store the recovery key? + +While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + +## Can I save the startup key on multiple USB flash drives? + +Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + +## Can I save multiple (different) startup keys on the same USB flash drive? + +Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + +## Can I generate multiple (different) startup keys for the same computer? + +You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + +## Can I generate multiple PIN combinations? + +You cannot generate multiple PIN combinations. + +## What encryption keys are used in BitLocker? How do they work together? + +Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + +## Where are the encryption keys stored? + +The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. + +This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + +## Why do I have to use the function keys to enter the PIN or the 48-character recovery password? + +The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + +When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. + +## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? + +It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + +The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. +After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + +## How can I determine the manufacturer of my TPM? + +You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**. + +## How can I evaluate a TPM's dictionary attack mitigation mechanism? + +The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + +- How many failed authorization attempts can occur before lockout? +- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? +- What actions can cause the failure count and lockout duration to be decreased or reset? + +## Can PIN length and complexity be managed with Group Policy? + +Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + +For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + From 4fa90e58fab297926d16c021c3d13313ab1f1d4c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Apr 2018 15:50:27 -0700 Subject: [PATCH 04/29] split FAQ --- .../bitlocker/bitlocker-and-adds-faq.md | 50 +++++++++++++++++++ ...r-device-encryption-overview-windows-10.md | 11 ++-- .../bitlocker-frequently-asked-questions.md | 36 ------------- .../bitlocker/bitlocker-to-go-faq.md | 25 ++++++++++ 4 files changed, 78 insertions(+), 44 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md create mode 100644 windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md new file mode 100644 index 0000000000..892b96b9d0 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -0,0 +1,50 @@ +--- +title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker and Active Directory Domain Services (AD DS) FAQ + +**Applies to** +- Windows 10 + + +## What if BitLocker is enabled on a computer before the computer has joined the domain? + +If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. + +For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + +The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. + +> [!IMPORTANT]   +> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). +  +## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? + +Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. + +Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. + +## If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? + +No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. + +## What happens if the backup initially fails? Will BitLocker retry the backup? + +If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. + +When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. + +For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + +When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored. + diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index bb2ff3ed96..13a5587141 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -31,14 +31,9 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | | There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | -| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. | +| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. | | BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. | -| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | - -The sections that follow describe these improvements in more detail. Also see: - -- Additional description of improvements in BitLocker: see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." -- Introduction and requirements for BitLocker: see [BitLocker](bitlocker-overview.md). +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | ## Prepare for drive and file encryption @@ -81,7 +76,7 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry ## Used Disk Space Only encryption -BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused. +BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused. But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk. diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 0f59f82df1..f67a251bc7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -32,42 +32,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com -## BitLocker To Go - -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. - -## Active Directory Domain Services (AD DS) - -### What if BitLocker is enabled on a computer before the computer has joined the domain? - -If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. - -For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - -The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. - ->**Important:**  Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). -  -### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? - -Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. - -Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. - -### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? - -No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. - -### What happens if the backup initially fails? Will BitLocker retry the backup? - -If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. - -When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. - -For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). - -When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored. - ## Security ### What form of encryption does BitLocker use? Is it configurable? diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md new file mode 100644 index 0000000000..e640b3d3e0 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -0,0 +1,25 @@ +--- +title: BitLocker To Go FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker To Go FAQ + +**Applies to** +- Windows 10 + +## What is BitLocker To Go? + +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. + +## What is Used Disk Space Only encryption? + +BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). \ No newline at end of file From 40e10e077101b3f933b0311d97b9852b54ac0c39 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 3 Apr 2018 17:06:51 -0700 Subject: [PATCH 05/29] split FAQ --- .../bitlocker-frequently-asked-questions.md | 33 ---------------- .../bitlocker/bitlocker-network-unlock-faq.md | 30 +++++++++++++++ .../bitlocker/bitlocker-security-faq.md | 38 +++++++++++++++++++ 3 files changed, 68 insertions(+), 33 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md create mode 100644 windows/security/information-protection/bitlocker/bitlocker-security-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index f67a251bc7..3f6b435e5d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -32,39 +32,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com -## Security - -### What form of encryption does BitLocker use? Is it configurable? - -BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. - -### What is the best practice for using BitLocker on an operating system drive? - -The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. - -### What are the implications of using the sleep or hibernate power management options? - -BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. - -### What are the advantages of a TPM? - -Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. - ->**Note:**  Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. -  -## BitLocker Network Unlock - -BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. - -To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. - -BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. - -Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is -not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. - -For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). - ## Other questions ### Can I run a kernel debugger with BitLocker? diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md new file mode 100644 index 0000000000..d4169a8450 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md @@ -0,0 +1,30 @@ +--- +title: BitLocker frequently asked questions (FAQ) (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker Network Unlock FAQ + +**Applies to** +- Windows 10 + +BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. + +To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. + +BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. + +Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is +not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + +For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + + diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md new file mode 100644 index 0000000000..122fcce059 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md @@ -0,0 +1,38 @@ +--- +title: BitLocker Security FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# BitLocker Security FAQ + +**Applies to** +- Windows 10 + + +## What form of encryption does BitLocker use? Is it configurable? + +BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. + +## What is the best practice for using BitLocker on an operating system drive? + +The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + +## What are the implications of using the sleep or hibernate power management options? + +BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. + +## What are the advantages of a TPM? + +Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. + +> [!NOTE]   +> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. +  From e71bfcb0845cc14b0259cd128c156d1ab068c958 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 4 Apr 2018 13:05:15 -0700 Subject: [PATCH 06/29] split FAQ --- .../bitlocker-frequently-asked-questions.md | 88 ++---------------- ...bitlocker-using-with-other-programs-faq.md | 91 +++++++++++++++++++ 2 files changed, 98 insertions(+), 81 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 3f6b435e5d..d3ba3c69d7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -23,89 +23,15 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Overview and requirements](bitlocker-overview-and-requirements-faq.md) - [Upgrading](bitlocker-upgrading-faq.md) - [Deployment and administration](bitlocker-deployment-and-administration-faq.md) -- [Key management](#bkmk-keymanagement) -- [BitLocker To Go](#bkmk-btgsect) -- [Active Directory Domain Services (AD DS)](#bkmk-adds) -- [Security](#bkmk-security) -- [BitLocker Network Unlock](#bkmk-bnusect) -- [Other questions](#bkmk-other) +- [Key management](bitlocker-key-management-faq.md) +- [BitLocker To Go](bitlocker-to-go-faq.md) +- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md +- [Security](bitlocker-security-faq.md) +- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) +- [Using BitLocker with other programs](bitlocker-using-with-other-programs-faq.md) -## Other questions - -### Can I run a kernel debugger with BitLocker? - -Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. - -### How does BitLocker handle memory dumps? - -BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. - -### Can BitLocker support smart cards for pre-boot authentication? - -BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. - -### Can I use a non-Microsoft TPM driver? - -Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. - -### Can other tools that manage or modify the master boot record work with BitLocker? - -We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. - -### Why is the system check failing when I am encrypting my operating system drive? - -The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: - -- The computer's BIOS or UEFI firmware cannot read USB flash drives. -- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. -- There are multiple USB flash drives inserted into the computer. -- The PIN was not entered correctly. -- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. -- The startup key was removed before the computer finished rebooting. -- The TPM has malfunctioned and fails to unseal the keys. - -### What can I do if the recovery key on my USB flash drive cannot be read? - -Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. - -### Why am I unable to save my recovery key to my USB flash drive? - -The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. - -### Why am I unable to automatically unlock my drive? - -Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. - -### Can I use BitLocker in Safe Mode? - -Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. - -### How do I "lock" a data drive? - -Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. - ->**Note:**  Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. -  -The syntax of this command is: - -`manage-bde -lock` - -Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. - -### Can I use BitLocker with the Volume Shadow Copy Service? - -Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. - -### Does BitLocker support virtual hard disks (VHDs)? - -BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. - -### Can I use BitLocker with virtual machines (VMs)? - -Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. - ## More information @@ -116,4 +42,4 @@ Yes. Password protectors and virtual TPMs can be used with BitLocker to protect - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) -- [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d) +- [BitLocker Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/bitlocker/index?view=win10-ps) diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md new file mode 100644 index 0000000000..b1a964494e --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -0,0 +1,91 @@ +--- +title: Using BitLocker with other programs FAQ (Windows 10) +description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. +ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.date: 04/03/2018 +--- + +# Using BitLocker with other programs FAQ + +**Applies to** +- Windows 10 + +## Can I run a kernel debugger with BitLocker? + +Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + +## How does BitLocker handle memory dumps? + +BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. + +## Can BitLocker support smart cards for pre-boot authentication? + +BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. + +## Can I use a non-Microsoft TPM driver? + +Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + +## Can other tools that manage or modify the master boot record work with BitLocker? + +We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + +## Why is the system check failing when I am encrypting my operating system drive? + +The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + +- The computer's BIOS or UEFI firmware cannot read USB flash drives. +- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. +- There are multiple USB flash drives inserted into the computer. +- The PIN was not entered correctly. +- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. +- The startup key was removed before the computer finished rebooting. +- The TPM has malfunctioned and fails to unseal the keys. + +## What can I do if the recovery key on my USB flash drive cannot be read? + +Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + +## Why am I unable to save my recovery key to my USB flash drive? + +The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + +## Why am I unable to automatically unlock my drive? + +Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + +## Can I use BitLocker in Safe Mode? + +Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + +## How do I "lock" a data drive? + +Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. + +> [!NOTE]   +> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. +  +The syntax of this command is: + +manage-bde driveletter -lock + +Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. + +## Can I use BitLocker with the Volume Shadow Copy Service? + +Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + +## Does BitLocker support virtual hard disks (VHDs)? + +BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. + +## Can I use BitLocker with virtual machines (VMs)? + +Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. + From 6354344892800b1acd42b73df4e799cd7a7f809d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 4 Apr 2018 13:07:57 -0700 Subject: [PATCH 07/29] split FAQ --- .../bitlocker/bitlocker-frequently-asked-questions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index d3ba3c69d7..52e757b6c5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -25,7 +25,7 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Deployment and administration](bitlocker-deployment-and-administration-faq.md) - [Key management](bitlocker-key-management-faq.md) - [BitLocker To Go](bitlocker-to-go-faq.md) -- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md +- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md) - [Security](bitlocker-security-faq.md) - [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) - [Using BitLocker with other programs](bitlocker-using-with-other-programs-faq.md) From d11704c77ee7847d8038e0f1ee88318e4c1fbfce Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 4 Apr 2018 15:13:36 -0700 Subject: [PATCH 08/29] added toc entries --- windows/security/information-protection/TOC.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index ab9300961a..b42aabd44f 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -3,6 +3,15 @@ ## [BitLocker](bitlocker\bitlocker-overview.md) ### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md) ### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md) +#### [Overview and requirements](bitlocker-overview-and-requirements-faq.md) +#### [Upgrading](bitlocker-upgrading-faq.md) +#### [Deployment and administration](bitlocker-deployment-and-administration-faq.md) +#### [Key management](bitlocker-key-management-faq.md) +#### [BitLocker To Go](bitlocker-to-go-faq.md) +#### [Active Directory Domain Services](bitlocker-and-adds-faq.md) +#### [Security](bitlocker-security-faq.md) +#### [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) +#### [General](bitlocker-using-with-other-programs-faq.md) ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md) ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md) ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md) From 8df16f5562b35acce7ad64e9e6b1f2ffa745112d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 4 Apr 2018 15:15:25 -0700 Subject: [PATCH 09/29] added toc entries --- .../bitlocker/bitlocker-frequently-asked-questions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 52e757b6c5..0ea875725d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -28,7 +28,7 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md) - [Security](bitlocker-security-faq.md) - [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) -- [Using BitLocker with other programs](bitlocker-using-with-other-programs-faq.md) +- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md) From ada598600b39dea40ddb76bbf0f7ce0f86732731 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 4 Apr 2018 17:05:03 -0700 Subject: [PATCH 10/29] fixed toc --- windows/security/information-protection/TOC.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index b42aabd44f..aa050873f5 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -3,15 +3,15 @@ ## [BitLocker](bitlocker\bitlocker-overview.md) ### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md) ### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md) -#### [Overview and requirements](bitlocker-overview-and-requirements-faq.md) -#### [Upgrading](bitlocker-upgrading-faq.md) -#### [Deployment and administration](bitlocker-deployment-and-administration-faq.md) -#### [Key management](bitlocker-key-management-faq.md) -#### [BitLocker To Go](bitlocker-to-go-faq.md) -#### [Active Directory Domain Services](bitlocker-and-adds-faq.md) -#### [Security](bitlocker-security-faq.md) -#### [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) -#### [General](bitlocker-using-with-other-programs-faq.md) +#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md) +#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md) +#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md) +#### [Key management](bitlocker\bitlocker-key-management-faq.md) +#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md) +#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md) +#### [Security](bitlocker\bitlocker-security-faq.md) +#### [BitLocker Network Unlock](bitlocker\bitlocker-network-unlock-faq.md) +#### [General](bitlocker\bitlocker-using-with-other-programs-faq.md) ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md) ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md) ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md) From 88baa752432f91a55296f87c42f17f26e7f98ade Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 5 Apr 2018 09:04:33 -0700 Subject: [PATCH 11/29] revised parent topic --- .../bitlocker/bitlocker-frequently-asked-questions.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 0ea875725d..6e4da85685 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -16,9 +16,7 @@ ms.date: 04/03/2018 **Applies to** - Windows 10 -This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. - -BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. +This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - [Overview and requirements](bitlocker-overview-and-requirements-faq.md) - [Upgrading](bitlocker-upgrading-faq.md) @@ -31,8 +29,6 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md) - - ## More information - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) From 36cc0fcb2e431fe619562a7b5168ff4d00c07f26 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 5 Apr 2018 09:20:33 -0700 Subject: [PATCH 12/29] added how to check TPM in RS4 --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 71e1fdb876..3461111acd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -11,7 +11,7 @@ author: brianlic-msft ms.date: 04/03/2018 --- -# BitLocker overview and requirements FAQ +# BitLocker Overview and Requirements FAQ **Applies to** - Windows 10 @@ -47,7 +47,7 @@ BitLocker supports TPM version 1.2 or higher. ## How can I tell if a TPM is on my computer? -Open the TPM MMC console (tpm.msc) and look under the **Status** heading. +Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. ## Can I use BitLocker on an operating system drive without a TPM? From 3e8714c2fd85ca5b50e3f25b086557ac59d4e90c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 5 Apr 2018 14:54:57 -0700 Subject: [PATCH 13/29] added italic --- .../bitlocker/bitlocker-key-management-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index a46414f9a7..6766506328 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -30,7 +30,7 @@ A domain administrator can additionally configure Group Policy to automatically ## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? -You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: +You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use: manage-bde –protectors –delete %systemdrive% -type tpm From fcd9a0eb6fb9da32a1eb1da6fa0d29287129ea56 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Apr 2018 10:16:07 -0700 Subject: [PATCH 14/29] copyedits --- .../bitlocker/bitlocker-using-with-other-programs-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index b1a964494e..ca6c64ca9c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -87,5 +87,5 @@ BitLocker is not supported on bootable VHDs, but BitLocker is supported on data ## Can I use BitLocker with virtual machines (VMs)? -Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. +Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators. From bf178978bfc1d8ed0c8fe63e331b164e320a394d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Apr 2018 13:43:56 -0700 Subject: [PATCH 15/29] added why PCR7 binding is not possible --- .../bitlocker/bitlocker-deployment-and-administration-faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index 9d12f4246d..2e97a6555d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -69,6 +69,10 @@ For example: In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. +## What can prevent BitLocker from binding to PCR[7]? + +This happens if if a non-Windows OS booted prior to Windows or Secure Boot is not available to the device, either because it has been disabled or the hardware does not suppoprt it. + ## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. From 76b6dacf8b38f266d1e7dddb4e6e4764d09c82ef Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Apr 2018 17:17:36 -0700 Subject: [PATCH 16/29] added edits per Derek --- .../bitlocker-deployment-and-administration-faq.md | 8 ++++++-- .../bitlocker/bitlocker-to-go-faq.md | 3 --- .../bitlocker/bitlocker-using-with-other-programs-faq.md | 4 ++++ 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index 2e97a6555d..0ab9b33596 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -47,6 +47,10 @@ No, BitLocker does not encrypt and decrypt the entire drive when reading and wri You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. +## What is Used Disk Space Only encryption? + +BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). + ## What system changes would cause the integrity check on my operating system drive to fail? The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: @@ -69,9 +73,9 @@ For example: In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. -## What can prevent BitLocker from binding to PCR[7]? +## What can prevent BitLocker from binding to PCR 7? -This happens if if a non-Windows OS booted prior to Windows or Secure Boot is not available to the device, either because it has been disabled or the hardware does not suppoprt it. +This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. ## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index e640b3d3e0..45b5bba76d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -20,6 +20,3 @@ ms.date: 04/03/2018 BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. -## What is Used Disk Space Only encryption? - -BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to beencrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption). \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index ca6c64ca9c..d95246d56d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -16,6 +16,10 @@ ms.date: 04/03/2018 **Applies to** - Windows 10 +## Can I use EFS with BitLocker? + +Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker. + ## Can I run a kernel debugger with BitLocker? Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. From a71cef22bb131236180df1afd2c1595ebed4d1f6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Apr 2018 18:08:19 -0700 Subject: [PATCH 17/29] added FAQs to adds --- .../bitlocker/bitlocker-and-adds-faq.md | 8 ++++++++ .../bitlocker/bitlocker-key-management-faq.md | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index 892b96b9d0..cf6854a98b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -17,6 +17,14 @@ ms.date: 04/03/2018 - Windows 10 +## What type of information is stored in AD DS? + +Stored information | Description +-------------------|------------ +Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. +BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). +BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde. + ## What if BitLocker is enabled on a computer before the computer has joined the domain? If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index 6766506328..a7daabfc34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -16,6 +16,12 @@ ms.date: 04/03/2018 **Applies to** - Windows 10 +## How can I authenticate or unlock my removable data drive? + +You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: + +Manage-bde -protectors -add e: -sid domain\username + ## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). From 8063c94082fcdab143f9b95542916da843f62482 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 30 Apr 2018 13:55:03 -0700 Subject: [PATCH 18/29] update proxy table --- ...ows-defender-advanced-threat-protection.md | 23 ++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index cd4942e214..e5c1e8c72f 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -85,10 +85,27 @@ For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -Service location | .Microsoft.com DNS record +**For Windows 10, version 1607 to Windows 10, version 1709**: + +Service location | Microsoft.com DNS record :---|:--- - US |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
+Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com``` +US | ```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe | ```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` +UK | ```uk.vortex-win.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` +AU | ```au.vortex-win.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` + + +**For Windows 10, version 1803**: + +Service location | Microsoft.com DNS record +:---|:--- +Common URLs for all locations |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com``` +US | ```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe | ```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` +UK | ```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` +AU | ```au-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` + If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. From 5752cd6ddc07c4347f57cc26df7d4877ee135506 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 2 May 2018 18:01:19 -0700 Subject: [PATCH 19/29] add note re: window 10 versions for v20 urls --- ...ows-defender-advanced-threat-protection.md | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 2d3414e962..6d713ae8d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 05/03/2018 --- @@ -85,26 +85,18 @@ For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -**For Windows 10, version 1607 to Windows 10, version 1709**: +>![NOTE] +> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record :---|:--- -Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com``` -US | ```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe | ```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` -UK | ```uk.vortex-win.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` -AU | ```au.vortex-win.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` +Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` +US | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` +UK | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` +AU | ```au.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` -**For Windows 10, version 1803**: - -Service location | Microsoft.com DNS record -:---|:--- -Common URLs for all locations |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com``` -US | ```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe | ```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` -UK | ```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` -AU | ```au-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. From d36f56804ffbc8e58c48f4fa504c8232b19fe22f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 2 May 2018 18:09:44 -0700 Subject: [PATCH 20/29] update section title --- ...r-endpoints-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index d11e0dc92e..4cc97bdde5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/03/2018 --- # Onboard servers to the Windows Defender ATP service @@ -82,7 +82,7 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | -## Onboard Windows Server 2012 R2 and Windows Server 2016 +## Onboard Windows Server, version 1803 You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. From 805f858fe024f5cabfaacca32d46044e231aec5e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 2 May 2018 18:10:49 -0700 Subject: [PATCH 21/29] update section title --- ...rver-endpoints-windows-defender-advanced-threat-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 4cc97bdde5..9145eb6736 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -84,6 +84,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ## Onboard Windows Server, version 1803 + You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). From d26189cb4e2a479efbc7e09048f6eaed546695c3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 2 May 2018 18:11:15 -0700 Subject: [PATCH 22/29] remove spaces --- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 9145eb6736..e1c5a11e0c 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -83,8 +83,6 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-weu.microsoft.com | 443 | ## Onboard Windows Server, version 1803 - - You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver). From aa3a693529d02eebac7f635602c59bbe2f110615 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 11:13:48 -0700 Subject: [PATCH 23/29] update au url --- ...roxy-internet-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 6d713ae8d5..8de9ab0c90 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -94,7 +94,7 @@ Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microso US | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` Europe | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com``` UK | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com``` -AU | ```au.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` +AU | ```au.vortex-win.data.microsoft.com```
```au-v20.events.data.microsoft.com```
```winatp-gw-aue.microsoft.com```
```winatp-gw-aus.microsoft.com``` From 0739cacc7d97341554483b40f15bd1bfbdfed063 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 3 May 2018 19:10:31 +0000 Subject: [PATCH 24/29] Merged PR 7785: Update quick fixes article with new features of setupdiag Update quick fixes article with new features of setupdiag --- windows/deployment/upgrade/quick-fixes.md | 8 +++++--- windows/deployment/upgrade/setupdiag.md | 13 +++++++------ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 97d6d61817..ab92c41519 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 04/18/2018 +ms.date: 05/03/2018 ms.localizationpriority: high --- @@ -22,9 +22,9 @@ ms.localizationpriority: high The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10). -The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. To talk to a person about your issue, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. +The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. -You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can also just download the tool and run it with no advanced options. You must understand how to download and then run the program from an [elevated command prompt](#open-an-elevated-command-prompt). +>You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. ## List of fixes @@ -217,6 +217,8 @@ When you run Disk Cleanup and enable the option to Clean up system files, you ca ### Open an elevated command prompt +>It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. + To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index d72266cc6c..32654c3c19 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -337,12 +337,13 @@ Each rule name and its associated unique rule identifier are listed with a descr ## Release notes 05/02/2018 - SetupDiag v1.1 is released with 34 rules, as a standalone tool available from the Download Center. - - A performance enhancment has been added to result in faster rule processing. - - Rules output now includes links to support articles, if applicable. - - SetupDiag now provides the path and name of files that it is processing. - - You can now run SetupDiag by simply clicking on it and then examining the output log file. - - An output log file is now always created, whether or not a rule was matched. -
03/30/2018 - SetupDiag v1.0 is released with 26 rules, as a standalone tool available from the Download Center. + - A performance enhancment has been added to result in faster rule processing. + - Rules output now includes links to support articles, if applicable. + - SetupDiag now provides the path and name of files that it is processing. + - You can now run SetupDiag by simply clicking on it and then examining the output log file. + - An output log file is now always created, whether or not a rule was matched. + +03/30/2018 - SetupDiag v1.0 is released with 26 rules, as a standalone tool available from the Download Center. ## Related topics From e3e6574af6c59acc33d9e33e54b6d4f3896b211e Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 3 May 2018 12:38:35 -0700 Subject: [PATCH 25/29] fixed dates --- .../information-protection/bitlocker/bitlocker-and-adds-faq.md | 2 +- .../bitlocker/bitlocker-deployment-and-administration-faq.md | 2 +- .../bitlocker/bitlocker-frequently-asked-questions.md | 2 +- .../bitlocker/bitlocker-key-management-faq.md | 2 +- .../bitlocker/bitlocker-network-unlock-faq.md | 2 +- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-security-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-to-go-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- .../bitlocker/bitlocker-using-with-other-programs-faq.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index cf6854a98b..cb1363a4e0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker and Active Directory Domain Services (AD DS) FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index 0ab9b33596..a441abbb58 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Deployment and Administration FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index 6e4da85685..85ef97406d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker frequently asked questions (FAQ) diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index a7daabfc34..463761dc4c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Key Management FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md index d4169a8450..e81773fb08 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Network Unlock FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index 3461111acd..4ed2e0357c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Overview and Requirements FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md index 122fcce059..db335bddd1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Security FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index 45b5bba76d..97c77d3302 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker To Go FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index 55f1188cda..7384f80699 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # BitLocker Upgrading FAQ diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index d95246d56d..874b4e95dd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: brianlic-msft -ms.date: 04/03/2018 +ms.date: 05/03/2018 --- # Using BitLocker with other programs FAQ From 0a7930cea19fe28796e53e3f867a0bf6bbcb920c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 3 May 2018 13:15:32 -0700 Subject: [PATCH 26/29] added WD DG and AppLocker topic --- .../TOC.md | 1 + ...s-defender-application-control-policies.md | 2 +- .../create-initial-default-policy.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...s-defender-application-control-policies.md | 2 +- ...th-windows-defender-application-control.md | 2 +- ...s-defender-application-control-policies.md | 2 +- .../microsoft-recommended-block-rules.md | 2 +- ...ontrol-for-classic-windows-applications.md | 2 +- ...r-application-control-against-tampering.md | 2 +- ...l-specific-plug-ins-add-ins-and-modules.md | 2 +- ...er-application-control-deployment-guide.md | 2 +- .../windows-defender-application-control.md | 2 +- ...ows-defender-device-guard-and-applocker.md | 22 +++++++++++++++++++ 14 files changed, 35 insertions(+), 12 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 6644912c09..ecceb40ef9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -28,6 +28,7 @@ ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) #### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) +### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index c7ccf71667..550a3cd003 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Audit Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 3c1bd40618..db8a79851b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Create a Windows Defender Application Control policy from a reference computer diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index b81a9aacaa..7cfdf0bd6f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Disable Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 9d87450308..626cd8bf87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Enforce Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 4437fc78ee..4781de4411 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Manage packaged apps with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index eb35054956..2104c0f0f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Merge Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index ca85529b51..4f483a970d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Microsoft recommended block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 94fa8ec867..37432f7599 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use code signing to simplify application control for classic Windows applications diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 34188e138e..fab86f6d14 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use signed policies to protect Windows Defender Application Control against tampering diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 7ca42368db..cc64f0b8f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index a4d05d50a0..aff1687457 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 298f03c997..bf04429e9f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md new file mode 100644 index 0000000000..6d001181ca --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md @@ -0,0 +1,22 @@ +--- +title: Windows Defender Device Guard and AppLocker (Windows 10) +description: Explains how +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +author: jsuther1974 +ms.date: 05/03/2018 +--- + +# Windows Defender Device Guard with AppLocker + +Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario. +There are many scenarios in which WDAC would be used alongside AppLocker rules. +As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. + +> [!NOTE] +> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule. + +AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. +In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. From 9dbe5cdaeb1c916202da509795687d523ff71911 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 13:28:30 -0700 Subject: [PATCH 27/29] fix typo, move ca topic --- windows/security/threat-protection/TOC.md | 5 ++++- ...stigations-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 8c87aacd56..35663c5aba 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -95,6 +95,9 @@ ##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md) ##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) + +### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) + ###API and SIEM support #### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) ##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md) @@ -191,7 +194,7 @@ ##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md) ##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) -##### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) + ####Permissions ##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 9c89602bae..6b4dfc59d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 05/03/2018 --- # Use Automated investigations to investigate and remediate threats @@ -65,7 +65,7 @@ While an investigation is running, any other alert generated from the machine wi If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. ### How threats are remediated -Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automatically remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. From 7fb4e8b8c33b58388f2cbcc5c0646c36821a00f6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 3 May 2018 13:29:48 -0700 Subject: [PATCH 28/29] update toc --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 35663c5aba..a5d9a290c7 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -96,7 +96,7 @@ ##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) -### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) +### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) ###API and SIEM support #### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) From fcbc7f41462895eb6c1a75b742add2fe20d6a463 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 3 May 2018 22:24:19 +0000 Subject: [PATCH 29/29] Merged PR 7809: added dsm item to removed features article --- .../deployment/planning/windows-10-1803-removed-features.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index 4abd1377b7..87631ec626 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: high ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 04/27/2018 +ms.date: 05/03/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1803 @@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| |**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.| -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it. +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| ## Features we’re no longer developing @@ -50,3 +50,4 @@ If you have feedback about the proposed replacement of any of these features, yo |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| |[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.| +|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|