From 921a7db2bc0c6374ec8fe85fe43a31cf33a0c177 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 1 Sep 2020 12:09:08 +0530 Subject: [PATCH 1/6] Update bcd-settings-and-bitlocker.md --- .../bitlocker/bcd-settings-and-bitlocker.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 876cf87f79..03ddda7058 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -29,9 +29,10 @@ When protecting data at rest on an operating system volume, during the boot proc ## BitLocker and BCD Settings -In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery. +In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile. +In Windows 8, Windows Server 2012, and subsequent versions, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile—Include that BCD setting in the BCD validation coverage to suit your validation preferences. +If a default BCD setting is found to persistently trigger a recovery for benign changes—Exclude that BCD setting from the validation coverage. ### When secure boot is enabled @@ -43,20 +44,21 @@ One of the benefits of using Secure Boot is that it can correct BCD settings dur To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting. -For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include: +For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications, by default. In addition to this default association with a specific set of boot applications (or a specific boot application), BCD settings extend coverage to all boot applications by attaching any of the following prefixes: - winload - winresume - memtest -- all +- all of the above +**Note:** The inclusion of prefix(es) is done when the BCD settings are being entered in the Group Policy setting. All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.” -The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event. +The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event. You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”. -Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy. +Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy. When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax: @@ -67,13 +69,13 @@ When specifying BCD values in the **Use enhanced Boot Configuration Data validat For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value. -Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. +> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the specified Group Policy setting is invalid.   ### Default BCD validation profile -The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems: +The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions: | Hex Value | Prefix | Friendly Name | | - | - | - | From f6c9500400eb5b8bf353c4772d4ee43885d2ba78 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 1 Sep 2020 12:19:42 +0530 Subject: [PATCH 2/6] Update bcd-settings-and-bitlocker.md --- .../bitlocker/bcd-settings-and-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 03ddda7058..ceda6cd84a 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -69,7 +69,7 @@ When specifying BCD values in the **Use enhanced Boot Configuration Data validat For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value. -A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. > **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the specified Group Policy setting is invalid.   From 45a769a21f858b33d4ae4598710b0eae4a0139b3 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Sep 2020 10:56:49 +0530 Subject: [PATCH 3/6] Update bcd-settings-and-bitlocker-4318240 Made changes to terms based on convention and consistency --- .../bitlocker/bcd-settings-and-bitlocker.md | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index ceda6cd84a..842360aa41 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -29,28 +29,27 @@ When protecting data at rest on an operating system volume, during the boot proc ## BitLocker and BCD Settings -In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery mode. +In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and subsequent versions, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile—Include that BCD setting in the BCD validation coverage to suit your validation preferences. -If a default BCD setting is found to persistently trigger a recovery for benign changes—Exclude that BCD setting from the validation coverage. +In Windows 8, Windows Server 2012, and subsequent versions, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. +If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. ### When secure boot is enabled -Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. +Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. -One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system. +One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system. ## Customizing BCD validation settings -To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting. +To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting. -For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications, by default. In addition to this default association with a specific set of boot applications (or a specific boot application), BCD settings extend coverage to all boot applications by attaching any of the following prefixes: +For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog: - winload - winresume - memtest - all of the above -**Note:** The inclusion of prefix(es) is done when the BCD settings are being entered in the Group Policy setting. All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.” @@ -60,18 +59,18 @@ You can quickly obtain the friendly name for the BCD settings on your computer b Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy. -When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax: +When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax: - Prefix the setting with the boot application prefix - Append a colon ‘:’ - Append either the hex value or the friendly name - If entering more than one BCD setting, you will need to enter each BCD setting on a new line -For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value. +For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value. A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the specified Group Policy setting is invalid. +> **Note:**  Take care when configuring BCD entries in the group policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the specified group policy setting is invalid.   ### Default BCD validation profile @@ -107,7 +106,7 @@ The following table contains the default BCD validation profile used by BitLocke ### Full list of friendly names for ignored BCD settings -This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. +The following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. > **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | From e09888e69a905743a2fd017d5ef61688672082ef Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Sep 2020 17:14:28 +0530 Subject: [PATCH 4/6] Update bcd-settings-and-bitlocker.md --- .../bitlocker/bcd-settings-and-bitlocker.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 842360aa41..c8dcba43f2 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -25,13 +25,13 @@ ms.custom: bitlocker This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. -When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. +When protecting data at rest on an operating system volume, during the boot process, BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. ## BitLocker and BCD Settings In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and subsequent versions, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. +In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. ### When secure boot is enabled From 1f3800ffb76a1079b4c2d6c16cd95fe7ce25b88e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 7 Sep 2020 17:32:51 +0530 Subject: [PATCH 5/6] Update bcd-settings-and-bitlocker.md --- .../bitlocker/bcd-settings-and-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index c8dcba43f2..58b43c969a 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. +This topic describes the Boot Configuration Data (BCD) settings that are used by BitLocker. When protecting data at rest on an operating system volume, during the boot process, BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. From 139d1f326faa90f45ae8a46ccffa9a65f500c56b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 14:51:02 +0530 Subject: [PATCH 6/6] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|