From d7f6f57bfe8d3f64037fa57a3ba3dd1eae299f71 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 20 May 2016 16:50:15 -0700 Subject: [PATCH] fixing spacing issues --- .../keep-secure/bitlocker-countermeasures.md | 60 ++- .../bitlocker-frequently-asked-questions.md | 202 +++++++- .../bitlocker-group-policy-settings.md | 436 ++++++++++++++---- ...tlocker-how-to-deploy-on-windows-server.md | 53 ++- .../bitlocker-how-to-enable-network-unlock.md | 176 +++++-- windows/keep-secure/bitlocker-overview.md | 111 ++--- .../bitlocker-recovery-guide-plan.md | 176 +++++-- 7 files changed, 943 insertions(+), 271 deletions(-) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 4f52324123..687bf6047b 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -2,87 +2,137 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # BitLocker Countermeasures + **Applies to** - Windows 10 + Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by: + - **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files. - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer. + The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup. + ### Protection before startup + Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM. + **Trusted Platform Module** + Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify. + A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process. By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key. For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md). + **UEFI and Secure Boot** + No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys. + The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature. + Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust. + Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes. + ![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg) + **Figure 1.** The BIOS and UEFI startup processes -With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate. + +With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. +Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate. + If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed. + All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot: + - They must have Secure Boot enabled by default. - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). - They must allow the user to configure Secure Boot to trust other signed bootloaders. - Except for Windows RT devices, they must allow the user to completely disable Secure Boot. + These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: -- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of Secure Boot on Windows-certified devices. + +- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of +Secure Boot on Windows-certified devices. + - **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however. + To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution. UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly. + For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx). + ### Protection during pre-boot: Pre-boot authentication + Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key. + If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key. + The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future. + On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: + - **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data. - **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. + For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself. + Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks). + BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy. Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however. + You can mitigate the risk of booting to a malicious operating system: + - **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option. - **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot. + ### Protection During Startup + During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail. + **Trusted Boot** + Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled. + **Early Launch Antimalware** + Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. + The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. + With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: + - **Good.** The driver has been signed and has not been tampered with. - **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized. - **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver. + While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack. + ### Protection After Startup: eliminate DMA availability + Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA. + ## See also - [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) - [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) - [BitLocker overview](bitlocker-overview.md) -  -  diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index d9dd86cdc9..4d179869fb 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -2,17 +2,22 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker frequently asked questions (FAQ) + **Applies to** - Windows 10 + This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. + BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. + - [Overview and requirements](#bkmk-overview) - [Upgrading](#bkmk-upgrading) - [Deployment and administration](#bkmk-deploy) @@ -22,43 +27,75 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Security](#bkmk-security) - [BitLocker Network Unlock](#bkmk-bnusect) - [Other questions](#bkmk-other) + ## Overview and requirements + ### How does BitLocker work? + **How BitLocker works with operating system drives** + You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + **How BitLocker works with fixed and removable data drives** + You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + ### Does BitLocker support multifactor authentication? + Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + ### What are the BitLocker hardware and software requirements? -**Note**   -Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker. + +> **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.   ### Why are two partitions required? Why does the system drive have to be so large? + Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. + ### Which Trusted Platform Modules (TPMs) does BitLocker support? + BitLocker supports TPM version 1.2 or higher. + ### How can I tell if a TPM is on my computer? + Open the TPM MMC console (tpm.msc) and look under the **Status** heading. + ### Can I use BitLocker on an operating system drive without a TPM? + Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. + ### How do I obtain BIOS support for the TPM on my computer? + Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: + - It is compliant with the TCG standards for a client computer. - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + ### What credentials are required to use BitLocker? + To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. + ### What is the recommended boot order for computers that are going to be BitLocker-protected? + You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  + ## Upgrading + ### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled? + Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key. + ### What is the difference between suspending and decrypting BitLocker? + **Decrypt** completely removes BitLocker protection and fully decrypts the drive. + **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. + ### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? + The following table lists what action you need to take before you perform an upgrade or update installation. + @@ -95,142 +132,253 @@ The following table lists what action you need to take before you perform an upg
  -**Note**   -If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. +> **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.   ## Deployment and administration + ### Can BitLocker deployment be automated in an enterprise environment? + Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx). + ### Can BitLocker encrypt more than just the operating system drive? + Yes. + ### Is there a noticeable performance impact when BitLocker is enabled on a computer? + Generally it imposes a single-digit percentage performance overhead. + ### How long will initial encryption take when BitLocker is turned on? + Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. + You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + ### What happens if the computer is turned off during encryption or decryption? + If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + ### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? + No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + ### How can I prevent users on a network from storing data on an unencrypted drive? + You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + ### What system changes would cause the integrity check on my operating system drive to fail? + The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: + - Moving the BitLocker-protected drive into a new computer. - Installing a new motherboard with a new TPM. - Turning off, disabling, or clearing the TPM. - Changing any boot configuration settings. - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + ### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? + Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + ### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? + Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + ### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? + Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + ### Why is "Turn BitLocker on" not available when I right-click a drive? Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + ### What type of disk configurations are supported by BitLocker? Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. + ## Key management + ### What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key? + There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require. + ### How can the recovery password and recovery key be stored? + The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + ### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? + You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: -**manage-bde –protectors –delete %systemdrive% -type tpm** -**manage-bde –protectors –add %systemdrive% -tpmandpin** *<4-20 digit numeric PIN>* + +`manage-bde –protectors –delete %systemdrive% -type tpm` + +`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>` + ### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? + BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. -**Important**   -Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. + +>**Important:**  Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.   ### Can the USB flash drive that is used as the startup key also be used to store the recovery key? + While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + ### Can I save the startup key on multiple USB flash drives? + Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + ### Can I save multiple (different) startup keys on the same USB flash drive? + Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + ### Can I generate multiple (different) startup keys for the same computer? + You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + ### Can I generate multiple PIN combinations? + You cannot generate multiple PIN combinations. + ### What encryption keys are used in BitLocker? How do they work together? + Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + ### Where are the encryption keys stored? + The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. + This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + ### Why do I have to use the function keys to enter the PIN or the 48-character recovery password? + The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. + ### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? + It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + ### How can I determine the manufacturer of my TPM? + You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading. + ### How can I evaluate a TPM's dictionary attack mitigation mechanism? + The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + - How many failed authorization attempts can occur before lockout? - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? - What actions can cause the failure count and lockout duration to be decreased or reset? + ### Can PIN length and complexity be managed with Group Policy? + Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + ## BitLocker To Go + BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. + ## Active Directory Domain Services (AD DS) + ### What if BitLocker is enabled on a computer before the computer has joined the domain? + If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. -**Important**   -Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). + +>**Important:**  Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).   ### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? + Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. + Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. + ### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? + No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. + ### What happens if the backup initially fails? Will BitLocker retry the backup? + If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. + When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored. + ## Security + ### What form of encryption does BitLocker use? Is it configurable? + BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. + ### What is the best practice for using BitLocker on an operating system drive? + The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + ### What are the implications of using the sleep or hibernate power management options? + BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. + ### What are the advantages of a TPM? + Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. -**Note**   -Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. + +>**Note:**  Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.   ## BitLocker Network Unlock + BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. + To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. + BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. -Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + +Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is +not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + ## Other questions + ### Can I run a kernel debugger with BitLocker? + Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + ### How does BitLocker handle memory dumps? + BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. + ### Can BitLocker support smart cards for pre-boot authentication? + BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. + ### Can I use a non-Microsoft TPM driver? + Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + ### Can other tools that manage or modify the master boot record work with BitLocker? + We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + ### Why is the system check failing when I am encrypting my operating system drive? + The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + - The computer's BIOS or UEFI firmware cannot read USB flash drives. - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. - There are multiple USB flash drives inserted into the computer. @@ -238,27 +386,45 @@ The system check is designed to ensure your computer's BIOS or UEFI firmware is - The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. - The startup key was removed before the computer finished rebooting. - The TPM has malfunctioned and fails to unseal the keys. + ### What can I do if the recovery key on my USB flash drive cannot be read? + Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + ### Why am I unable to save my recovery key to my USB flash drive? + The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + ### Why am I unable to automatically unlock my drive? + Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + ### Can I use BitLocker in Safe Mode? + Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + ### How do I "lock" a data drive? + Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. -**Note**   -Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. + +>**Note:**  Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.   The syntax of this command is: -**manage-bde** *<driveletter>* **-lock** + +`manage-bde -lock` + Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. + ### Can I use BitLocker with the Volume Shadow Copy Service? + Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + ### Does BitLocker support virtual hard disks (VHDs)? + BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. + ## More information + - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) @@ -267,5 +433,3 @@ BitLocker is not supported on bootable VHDs, but BitLocker is supported on data - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) - [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d) -  -  diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 2179049ec9..77412bda71 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -2,26 +2,36 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker Group Policy settings + **Applies to** - Windows 10 + This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. + To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. -**Note**   -A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](trusted-platform-module-services-group-policy-settings.md). + +>**Note:**  A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](trusted-platform-module-services-group-policy-settings.md).   BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. -If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. + +If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group +Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. + ## BitLocker Group Policy settings + The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. + The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. + - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -35,11 +45,15 @@ The following policy settings can be used to determine how a BitLocker-protected - [Configure use of passwords on removable data drives](#bkmk-unlockpol8) - [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9) - [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates) + The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. + - [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1) - [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2) - [Control use of BitLocker on removable drives](#bkmk-driveaccess3) + The following policy settings determine the encryption methods and encryption types that are used with BitLocker. + - [Choose drive encryption method and cipher strength](#bkmk-encryptmeth) - [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd) - [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd) @@ -47,7 +61,9 @@ The following policy settings determine the encryption methods and encryption ty - [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd) - [Enforce drive encryption type on operating system drives](#bkmk-detypeosd) - [Enforce drive encryption type on removable data drives](#bkmk-detyperdd) + The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. + - [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1) - [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2) - [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3) @@ -55,7 +71,9 @@ The following policy settings define the recovery methods that can be used to re - [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6) - [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7) - [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot) + The following policies are used to support customized deployment scenarios in your organization. + - [Allow Secure Boot for integrity validation](#bkmk-secboot) - [Provide the unique identifiers for your organization](#bkmk-depopt1) - [Prevent memory overwrite on restart](#bkmk-depopt2) @@ -66,8 +84,11 @@ The following policies are used to support customized deployment scenarios in yo - [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd) - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) + ### Allow network unlock at startup + This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. + @@ -106,13 +127,17 @@ This policy controls a portion of the behavior of the Network Unlock feature in
  **Reference** + To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. -**Note**   -For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup. + +>**Note:**  For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.   For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + ### Require additional authentication at startup + This policy setting is used to control which unlock options are available for operating system drives. + @@ -153,31 +178,43 @@ This policy setting is used to control which unlock options are available for op
  **Reference** + If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive. + On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use: + - only the TPM for authentication - insertion of a USB flash drive containing the startup key - the entry of a 4-digit to 20-digit personal identification number (PIN) - a combination of the PIN and the USB flash drive + There are four options for TPM-enabled computers or devices: + - Configure TPM startup + - Allow TPM - Require TPM - Do not allow TPM - Configure TPM startup PIN + - Allow startup PIN with TPM - Require startup PIN with TPM - Do not allow startup PIN with TPM - Configure TPM startup key + - Allow startup key with TPM - Require startup key with TPM - Do not allow startup key with TPM - Configure TPM startup key and PIN + - Allow TPM startup key with PIN - Require startup key and PIN with TPM - Do not allow TPM startup key with PIN + ### Allow enhanced PINs for startup + This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. + @@ -215,13 +252,17 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
  + **Reference** + Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. -**Important**   -Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. + +>**Important:**  Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.   ### Configure minimum PIN length for startup + This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. + @@ -260,9 +301,13 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
  **Reference** + This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + ### Disallow standard users from changing the PIN or password + This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. + @@ -300,10 +345,15 @@ This policy setting allows you to configure whether standard users are allowed t
  + **Reference** + To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. + ### Configure use of passwords for operating system drives + This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. + @@ -348,19 +398,26 @@ This policy controls how non-TPM based systems utilize the password protector. U
  + **Reference** + If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. + When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: + - Allow password complexity - Do not allow password complexity - Require password complexity + ### Require additional authentication at startup (Windows Server 2008 and Windows Vista) + This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. + @@ -399,21 +456,32 @@ This policy setting is used to control what unlock options are available for com
  **Reference** + On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN. + A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive. + There are two options for TPM-enabled computers or devices: + - Configure TPM startup PIN + - Allow startup PIN with TPM - Require startup PIN with TPM - Do not allow startup PIN with TPM - Configure TPM startup key + - Allow startup key with TPM - Require startup key with TPM - Do not allow startup key with TPM + These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur. + To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN. + ### Configure use of smart cards on fixed data drives + This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. + @@ -456,11 +524,13 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
  **Reference** -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.   ### Configure use of passwords on fixed data drives + This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. + @@ -503,21 +573,28 @@ This policy setting is used to require, allow, or deny the use of passwords with
  **Reference** + When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. + When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a protector. + When set to **Do not allow complexity**, no password complexity validation is performed. + Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive. + Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. -**Important**   -Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. + +>**Important:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.   ### Configure use of smart cards on removable data drives + This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. + @@ -560,11 +637,13 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
  **Reference** -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   ### Configure use of passwords on removable data drives + This policy setting is used to require, allow, or deny the use of passwords with removable data drives. + @@ -607,20 +686,28 @@ This policy setting is used to require, allow, or deny the use of passwords with
  **Reference** -If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at +**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. + When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. + When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector. + When set to **Do not allow complexity**, no password complexity validation will be done. -**Note**   -Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. + +>**Note:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.   For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852211.aspx). + ### Validate smart card certificate usage rule compliance + This policy setting is used to determine what certificate to use with BitLocker. + @@ -659,14 +746,19 @@ This policy setting is used to determine what certificate to use with BitLocker.
  **Reference** + This policy setting is applied when you turn on BitLocker. + The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. + The default object identifier is 1.3.6.1.4.1.311.67.1.1. -**Note**   -BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. + +>**Note:**  BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.   ### Enable use of BitLocker authentication requiring preboot keyboard input on slates + This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. + @@ -705,15 +797,23 @@ This policy setting allows users to enable authentication options that require u
  **Reference** + The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. + It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. + When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + If you do not enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: + - Configure TPM startup PIN: Required and Allowed - Configure TPM startup key and PIN: Required and Allowed - Configure use of passwords for operating system drives + ### Deny write access to fixed drives not protected by BitLocker + This policy setting is used to require encryption of fixed drives prior to granting Write access. + @@ -752,16 +852,23 @@ This policy setting is used to require encryption of fixed drives prior to grant
  **Reference** + This policy setting is applied when you turn on BitLocker. + Conflict considerations include: + 1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. 2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues: + - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition is not formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." 3. If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. + ### Deny write access to removable drives not protected by BitLocker + This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. + @@ -800,16 +907,21 @@ This policy setting is used to require that removable drives are encrypted prior
  **Reference** + If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. -**Note**   -You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. + +>**Note:**  You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.   Conflict considerations include: + 1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. 2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. 3. You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization. + ### Control use of BitLocker on removable drives + This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. + @@ -852,13 +964,20 @@ This policy setting is used to prevent users from turning BitLocker on or off on
  **Reference** + This policy setting is applied when you turn on BitLocker. + For information about suspending BitLocker protection, see [BitLocker Basic Deployment](http://technet.microsoft.com/library/dn383581.aspx). + The options for choosing property settings that control how users can configure BitLocker are: + - **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive. - **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. + ### Choose drive encryption method and cipher strength + This policy setting is used to control the encryption method and cipher strength. + @@ -897,14 +1016,18 @@ This policy setting is used to control the encryption method and cipher strength
  **Reference** + By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. -**Warning**   -This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning. + +>**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.   When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script. + ### Configure use of hardware-based encryption for fixed data drives + This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -947,14 +1070,18 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
  **Reference** -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Configure use of hardware-based encryption for operating system drives + This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -997,15 +1124,20 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
  **Reference** + If hardware-based encryption is not available, BitLocker software-based encryption is used instead. -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Configure use of hardware-based encryption for removable data drives + This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -1048,15 +1180,20 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
  **Reference** + If hardware-based encryption is not available, BitLocker software-based encryption is used instead. -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Enforce drive encryption type on fixed data drives + This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. + @@ -1095,13 +1232,17 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Enforce drive encryption type on operating system drives + This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. + @@ -1140,13 +1281,17 @@ This policy controls whether operating system drives utilize Full encryption or
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Enforce drive encryption type on removable data drives + This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. + @@ -1185,13 +1330,17 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Choose how BitLocker-protected operating system drives can be recovered + This policy setting is used to configure recovery methods for operating system drives. + @@ -1231,18 +1380,28 @@ This policy setting is used to configure recovery methods for operating system d
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. + For more information about adding data recovery agents, see [BitLocker basic deployment](bitlocker-basic-deployment.md). + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. + +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for +the drive are determined by the policy setting. + In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. + Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.   ### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) + This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. + @@ -1281,18 +1440,22 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
  **Reference** + This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. + Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key. + Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. -**Important**   -If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. + +>**Important:**  If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. The 48-digit recovery password is not available in FIPS-compliance mode.   -**Important**   -To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. +>**Important:**  To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.   ### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) + This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. + @@ -1331,17 +1494,27 @@ This policy setting is used to configure the storage of BitLocker recovery infor
  **Reference** + This policy is only applicable to computers running Windows Server 2008 or Windows Vista. + This policy setting is applied when you turn on BitLocker. + BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. + If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. + A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. + If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup. TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up. + For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md). If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md). + ### Choose default folder for recovery password + This policy setting is used to configure the default folder for recovery passwords. + @@ -1380,12 +1553,15 @@ This policy setting is used to configure the default folder for recovery passwor
  **Reference** + This policy setting is applied when you turn on BitLocker. -**Note**   -This policy setting does not prevent the user from saving the recovery password in another folder. + +>**Note:**  This policy setting does not prevent the user from saving the recovery password in another folder.   ### Choose how BitLocker-protected fixed drives can be recovered + This policy setting is used to configure recovery methods for fixed data drives. + @@ -1425,18 +1601,28 @@ This policy setting is used to configure recovery methods for fixed data drives.
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + +In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. +Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + For more information about the BitLocker repair tool, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx). + Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.   ### Choose how BitLocker-protected removable drives can be recovered + This policy setting is used to configure recovery methods for removable data drives. + @@ -1476,17 +1662,25 @@ This policy setting is used to configure recovery methods for removable data dri
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor. + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. + Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. + In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.   ### Configure the pre-boot recovery message and URL + This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. + @@ -1525,19 +1719,23 @@ This policy setting is used to configure the entire recovery message and to repl
  **Reference** + Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. + Once you enable the setting you have three options: + - If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. - If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. - If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen. -**Important**   -Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. + +>**Important:**  Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.   -**Important**   -Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. +>**Important:**  Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.   ### Allow Secure Boot for integrity validation + This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. + @@ -1577,13 +1775,16 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
  **Reference** + Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. -**Warning**   -Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. + +>**Warning:**  Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.   ### Provide the unique identifiers for your organization + This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. + @@ -1622,15 +1823,25 @@ This policy setting is used to establish an identifier that is applied to all dr
  **Reference** + These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. + An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. + For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations. + You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. + When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. + Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. + ### Prevent memory overwrite on restart + This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. + @@ -1669,9 +1880,13 @@ This policy setting is used to control whether the computer's memory will be ove
  **Reference** + This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. + ### Configure TPM platform validation profile for BIOS-based firmware configurations + This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. + @@ -1710,11 +1925,13 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. -**Important**   -This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. + +>**Important:**  This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.   A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: + - Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) - Option ROM Code (PCR 2) - Master Boot Record (MBR) Code (PCR 4) @@ -1722,10 +1939,11 @@ A platform validation profile consists of a set of PCR indices that range from 0 - NTFS Boot Block (PCR 9) - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) -**Note**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Note:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   The following list identifies all of the PCRs available: + - PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions - PCR 1: Platform and motherboard configuration and data. - PCR 2: Option ROM code @@ -1739,8 +1957,11 @@ The following list identifies all of the PCRs available: - PCR 10: Boot manager - PCR 11: BitLocker access control - PCR 12-23: Reserved for future use + ### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) + This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. + @@ -1779,8 +2000,11 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. + A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: + - Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) - Option ROM Code (PCR 2) - Master Boot Record (MBR) Code (PCR 4) @@ -1788,10 +2012,11 @@ A platform validation profile consists of a set of PCR indices that range from 0 - NTFS Boot Block (PCR 9) - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) -**Note**   -The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. + +>**Note:**  The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.   The following list identifies all of the PCRs available: + - PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code - PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration - PCR 2: Option ROM code @@ -1805,11 +2030,13 @@ The following list identifies all of the PCRs available: - PCR 10: Boot manager - PCR 11: BitLocker access control - PCR 12 - 23: Reserved for future use -**Warning**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   ### Configure TPM platform validation profile for native UEFI firmware configurations + This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. + @@ -1850,12 +2077,15 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. -**Important**   -This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. + +>**Important:**  This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.   A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). + The following list identifies all of the PCRs available: + - PCR 0: Core System Firmware executable code - PCR 1: Core System Firmware data - PCR 2: Extended or pluggable executable code @@ -1864,7 +2094,9 @@ The following list identifies all of the PCRs available: - PCR 5: GPT/Partition Table - PCR 6: Resume from S4 and S5 Power State Events - PCR 7: Secure Boot State + For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic. + - PCR 8: Initialized to 0 with no Extends (reserved for future use) - PCR 9: Initialized to 0 with no Extends (reserved for future use) - PCR 10: Initialized to 0 with no Extends (reserved for future use) @@ -1873,11 +2105,13 @@ The following list identifies all of the PCRs available: - PCR 13: Boot Module Details - PCR 14: Boot Authorities - PCR 15 – 23: Reserved for future use -**Warning**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   ### Reset platform validation data after BitLocker recovery + This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. + @@ -1920,9 +2154,13 @@ This policy setting determines if you want platform validation data to refresh w
  **Reference** + For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). + ### Use enhanced Boot Configuration Data validation profile + This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. + @@ -1965,11 +2203,13 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
  **Reference** -**Note**   -The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. + +>**Note:**  The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.   ### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows + This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive. + @@ -2008,12 +2248,15 @@ This policy setting is used to control whether access to drives is allowed by us
  **Reference** -**Note**   -This policy setting does not apply to drives that are formatted with the NTFS file system. + +>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.   When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. + ### Allow access to BitLocker-protected removable data drives from earlier versions of Windows + This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. + @@ -2052,12 +2295,15 @@ This policy setting controls access to removable data drives that are using the
  **Reference** -**Note**   -This policy setting does not apply to drives that are formatted with the NTFS file system. + +>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.   When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed. + ## FIPS setting + You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. + @@ -2096,28 +2342,44 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
  **Reference** + This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. + You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. + You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. + For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852197.aspx). + ## Power management Group Policy settings: Sleep and Hibernate + PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users are not required to re-authenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. + However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting does not have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. + You can use disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: + - Allow Standby States (S1-S3) When Sleeping (Plugged In) - Allow Standby States (S1-S3) When Sleeping (Battery) + ## About the Platform Configuration Register (PCR) + A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system. + Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + **About PCR 7** -PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. + +PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This +reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. + PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](http://msdn.microsoft.com/library/windows/hardware/jj923068.aspx). + PCR 7 measurements are a mandatory logo requirement for systems that support InstantGo (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. + ## See also -[Trusted Platform Module](trusted-platform-module-overview.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[BitLocker overview](bitlocker-overview.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -  -  +- [Trusted Platform Module](trusted-platform-module-overview.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker overview](bitlocker-overview.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index 5c66b70012..e7035aa4e8 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -2,22 +2,31 @@ title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: How to deploy on Windows Server 2012 and later + **Applies to** - Windows 10 + This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. + For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. + ## Installing BitLocker + BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets. + - To install BitLocker using Server Manager - To install BitLocker using Windows PowerShell + ### To install BitLocker using Server Manager + 1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. 2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** 3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown). @@ -25,32 +34,42 @@ BitLocker requires administrator privileges on the server to install. You can in 5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install. 6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. 7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. - **Note**   - The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems. + + > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.   8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete. 9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. + ### To install BitLocker using Windows PowerShell + Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation. -**Note**   -You must restart the server to complete the installation of BitLocker. + +>**Note:**  You must restart the server to complete the installation of BitLocker.   ### Using the servermanager module to install BitLocker + The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as: + ``` syntax Get-WindowsFeature Bit ``` The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature. + By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. + ``` syntax Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. + To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: + ``` syntax Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` + The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). + - BitLocker Drive Encryption - BitLocker Drive Encryption Tools - BitLocker Drive Encryption Administration Utilities @@ -58,31 +77,39 @@ The result of this command displays the following list of all the administration - AD DS Snap-Ins and Command-Line Tools - AD DS Tools - AD DS and AD LDS Tools + The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: + ``` syntax Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` -**Important**   -Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. + +>**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.   ### Using the dism module to install BitLocker + The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. + ``` syntax Get-WindowsOptionalFeature -Online | ft ``` + From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. + To install BitLocker using the `dism` module, use the following command: + ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` + This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: + ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information -[BitLocker overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -  -  + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index c74d7c12a8..37e9e8b02d 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -2,20 +2,27 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: How to enable Network Unlock + **Applies to** - Windows 10 + This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. + Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. + Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. + This topic contains: + - [Network Unlock core requirements](#bkmk-nunlockcorereqs) - [Network Unlock sequence](#bkmk-networkunlockseq) - [Configure Network Unlock](#bkmk-configuringnetworkunlock) @@ -24,8 +31,11 @@ This topic contains: - [Update Network Unlock certificates](#bkmk-updatecerts) - [Troubleshoot Network Unlock](#bkmk-troubleshoot) - [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems) + ## Network Unlock core requirements + Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include: + - You must be running at least Windows 8 or Windows Server 2012. - Any supported operating system with UEFI DHCP drivers can be Network Unlock clients. - A server running the Windows Deployment Services (WDS) role on any supported server operating system. @@ -33,20 +43,31 @@ Network Unlock must meet mandatory hardware and software requirements before the - A DHCP server, separate from the WDS server. - Properly configured public/private key pairing. - Network Unlock Group Policy settings configured. + The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. -**Note**   -To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. + +>**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. + For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.   The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. + Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server. + The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. + ## Network Unlock sequence + The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. + On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. + The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). + ![bitlocker network unlock sequence](images/bitlockernetworkunlocksequence.png) + **Phases in the Network Unlock process** + 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. @@ -56,50 +77,75 @@ The server side configuration to enable Network Unlock also requires provisionin 7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM. 8. This combined key is used to create an AES-256 key that unlocks the volume. 9. Windows continues the boot sequence. + ## Configure Network Unlock + The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. + ### Step One: Install the WDS Server role + The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. + To install the role using Windows PowerShell, use the following command: + ``` syntax Install-WindowsFeature WDS-Deployment ``` + You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. + ### Step Two: Confirm the WDS Service is running + To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. + To confirm the service is running using Windows PowerShell, use the following command: + ``` syntax Get-Service WDSServer ``` ### Step Three: Install the Network Unlock feature + To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. + To install the feature using Windows PowerShell, use the following command: + ``` syntax Install-WindowsFeature BitLocker-NetworkUnlock ``` ### Step Four: Create the Network Unlock certificate + Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. + To enroll a certificate from an existing certification authority (CA), do the following: + 1. Open Certificate Manager on the WDS server using **certmgr.msc** 2. Under the Certificates - Current User item, right-click Personal 3. Select All Tasks, then **Request New Certificate** 4. Select **Next** when the Certificate Enrollment wizard opens 5. Select Active Directory Enrollment Policy 6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: + - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" + 7. Create the certificate. Ensure the certificate appears in the Personal folder. 8. Export the public key certificate for Network Unlock + 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **No, do not export the private key**. 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. 4. Give the file a name such as BitLocker-NetworkUnlock.cer. + 9. Export the public key with a private key for Network Unlock + 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **Yes, export the private key**. 3. Complete the wizard to create the .pfx file. + To create a self-signed certificate, do the following: + 1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf 2. Add the following contents to the previously created file: + ``` syntax [NewRequest] Subject="CN=BitLocker Network Unlock certificate" @@ -117,46 +163,63 @@ To create a self-signed certificate, do the following: 2.5.29.37 = "{text}" _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` + 3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: + ``` syntax certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` + 4. Verify the previous command properly created the certificate by confirming the .cer file exists 5. Launch the Certificate Manager by running **certmgr.msc** 6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. + ### Step Five: Deploy the private key and certificate to the WDS server + With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: + 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. 2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** 3. In the **File to Import** dialog, choose the .pfx file created previously. 4. Enter the password used to create the .pfx and complete the wizard. + ### Step Six: Configure Group Policy settings for Network Unlock + With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. + 1. Open Group Policy Management Console (gpmc.msc) 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers + The following steps describe how to deploy the required Group Policy setting: -**Note**   -The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. + +>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.   1. Copy the .cer file created for Network Unlock to the domain controller 2. On the domain controller, launch Group Policy Management Console (gpmc.msc) 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 4. Deploy the public certificate to clients + 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate** 3. Follow the wizard steps and import the .cer file that was copied earlier. -**Note**   -Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. + +>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.   ### Step Seven: Require TPM+PIN protectors at startup + An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: + 1. Open Group Policy Management Console (gpmc.msc) 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers + ### Create the certificate template for Network Unlock + The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. + 1. Open the Certificates Template snap-in (certtmpl.msc). 2. Locate the User template. Right-click the template name and select **Duplicate Template** 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. @@ -170,104 +233,129 @@ The following steps detail how to create a certificate template for use with Bit 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. 12. On the **Edit Application Policies Extension** dialog box, select **Add**. 13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: + - **Name:** **BitLocker Network Unlock** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** + 14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission 17. Select **OK** to complete configuration of the template. + To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. + After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. + ### Subnet policy configuration files on WDS Server (Optional) + By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock. + The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests. + The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. -``` syntax - [SUBNETS] -SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon -SUBNET2=10.185.252.200/28 -SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet -SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. -``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. -**Note**   -When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. -  -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. -``` syntax - [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60] -;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. -;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. -SUBNET1 -;SUBNET2 -SUBNET3 -``` + + [SUBNETS] + SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon + SUBNET2=10.185.252.200/28 + SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet + SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. + ``` + Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. + + >**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. +   + Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. + Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. + [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60] + ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. + ;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. + SUBNET1 + ;SUBNET2 + SUBNET3 + To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". + ### Turning off Network Unlock + To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. -**Note**   -Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. + +>**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.   ### Update Network Unlock certificates + To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. + ## Troubleshoot Network Unlock + Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include: + - Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started - Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. - Group policy for Network Unlock is enabled and linked to the appropriate domains - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: + ``` syntax Manage-bde –protectors –get C: ``` -**Note**   -Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock +>**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock   Files to gather when troubleshooting BitLocker Network Unlock include: + 1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log + Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging. + 1. Start an elevated command prompt and run the following command: + ``` syntax wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true ``` 2. Open Event Viewer on the WDS server. + In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**. + In the right pane, click **Enable Log**. + 2. The DHCP subnet configuration file (if one exists). 3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell 4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address + ## Configure Network Unlock Group Policy settings on earlier versions + Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008. **Requirements** + - The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic. - Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. + The following steps can be used to configure Network Unlock on these older systems. + 1. [Step One: Install the WDS Server role](#bkmk-stepone) 2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo) 3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree) 4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour) 5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive) 6. **Step Six: Configure registry settings for Network Unlock** + Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. - ``` syntax - certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f - ``` + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f + 7. [Create the Network Unlock certificate](#bkmk-stepfour) 8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive) 9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) 10. [Require TPM+PIN protectors at startup](#bkmk-stepseven) + ## See also + - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -  -  diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 66039b8143..897f3dd747 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -2,103 +2,78 @@ title: BitLocker (Windows 10) description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker + **Applies to** - Windows 10 + This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. + ## + BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. + +BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been +tampered with while the system was offline. + On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. + In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. + ## Practical applications + Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. + There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker. + - **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. -- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. + +- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the +BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. + ## New and changed functionality + To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)   ## System requirements + BitLocker has the following hardware requirements: + For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive. + A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. + The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. + The hard disk must be partitioned with at least two drives: + - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. + When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. + When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)

This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.

[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

This topic for the IT professional explains how can you plan your BitLocker deployment.

[BitLocker basic deployment](bitlocker-basic-deployment.md)

This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.

[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)

This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.

[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.

[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

This topic for the IT professional describes how to use tools to manage BitLocker.

[BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)

This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.

[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)

This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.

[BCD settings and BitLocker](bcd-settings-and-bitlocker.md)

This topic for IT professionals describes the BCD settings that are used by BitLocker.

[BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)

This topic for IT professionals describes how to recover BitLocker keys from AD DS.

[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)

This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.

[Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)

This topic for IT pros describes how to protect CSVs and SANs with BitLocker.

-  -  -  + +| Topic | Description | +| - | - | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index ef750b5769..80df5a2c52 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -2,33 +2,48 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # BitLocker recovery guide + **Applies to** - Windows 10 + This topic for IT professionals describes how to recover BitLocker keys from AD DS. + Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. + This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. + This article does not detail how to configure AD DS to store the BitLocker recovery information. + This article contains the following topics: + - [What Is BitLocker Recovery?](#bkmk-whatisrecovery) - [Testing Recovery](#bkmk-testingrecovery) - [Planning Your Recovery Process](#bkmk-planningrecovery) - [Using Additional Recovery Information](#bkmk-usingaddrecovery) - [Resetting Recovery Passwords](#bkmk-appendixb) - [Retrieving the BitLocker Key Package](#bkmk-appendixc) + ## What is BitLocker recovery? + BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: + - The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). - A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. - A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + ### What causes BitLocker recovery? + The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: + - On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. - Changing the boot order to boot another drive in advance of the hard drive. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. @@ -49,8 +64,8 @@ The following list provides examples of specific events that will cause BitLocke - Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. - Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. - **Note**   - Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + + >**Note:**  Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.   - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. @@ -58,169 +73,249 @@ The following list provides examples of specific events that will cause BitLocke - Failing the TPM self-test. - Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. - **Note**   - The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + + >**Note:**  The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.   - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. -**Note**   -Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. + +>**Note:**  Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.   For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. -**Note**   -If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. + +>**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. + If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.   Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. + ## Testing recovery + Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. + **To force a recovery for the local computer** + 1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: - **manage-bde -forcerecovery** *<Volume>* + `manage-bde -forcerecovery ` + **To force recovery for a remote computer** + 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: - **manage-bde. -ComputerName** *<ComputerName>***-forcerecovery** *<Volume>* -**Note**   -*<ComputerName>* represents the name of the remote computer. *<Volume>* represents the volume on the remote computer that is protected with BitLocker. + `manage-bde. -ComputerName -forcerecovery ` + +> **Note:**  *ComputerName* represents the name of the remote computer. *Volume* represents the volume on the remote computer that is protected with BitLocker.   ## Planning your recovery process + When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. -Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx). + +Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker +Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx). + After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization. + When you determine your recovery process, you should: + - Become familiar with how you can retrieve the recovery password. See: + - [Self-recovery](#bkmk-selfrecovery) - [Recovery password retrieval](#bkmk-recoveryretrieval) + - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: + - [Post-recovery analysis](#bkmk-planningpostrecovery) + ### Self-recovery + In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. + ### Recovery password retrieval + If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. + - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. -**Note**   -If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD +DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. + +>**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.   The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. + You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. + - [Record the name of the user's computer](#bkmk-recordcomputername) - [Verify the user's identity](#bkmk-verifyidentity) - [Locate the recovery password in AD DS](#bkmk-locatepassword) - [Gather information to determine why recovery occurred](#bkmk-gatherinfo) - [Give the user the recovery password](#bkmk-givepassword) + ### Record the name of the user's computer + You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. + ### Verify the user's identity + You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. + ### Locate the recovery password in AD DS + Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. + ### Multiple recovery passwords + If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. + If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. + Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. + ### Gather information to determine why recovery occurred + Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). + ### Give the user the recovery password + Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. -**Note**   -Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. + +>**Note:**  Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.   ### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. + +When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption +when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. + If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: + - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) + ### Determine the root cause of the recovery + If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. + While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. + Review and answer the following questions for your organization: + 1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? 4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? + To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. + ### Resolve the root cause + After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. + The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. -**Note**   -You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. + +>**Note:**  You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.   - [Unknown PIN](#bkmk-unknownpin) - [Lost startup key](#bkmk-loststartup) - [Changes to boot files](#bkmk-changebootknown) ### Unknown PIN + If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. + **To prevent continued recovery due to an unknown PIN** + 1. Unlock the computer using the recovery password. -2. Reset the PIN: - 1. - 2. Right-click the drive and then click **Change PIN** - 3. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 4. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. +2. Reset the PIN: + 1. Right-click the drive and then click **Change PIN** + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. 3. You will use the new PIN the next time you unlock the drive. + ### Lost startup key + If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key. + **To prevent continued recovery due to a lost startup key** + 1. Log on as an administrator to the computer that has the lost startup key. 2. Open Manage BitLocker. 3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. + ### Changes to boot files + This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. + ## Windows RE and BitLocker + Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. + ## Using additional recovery information + Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. + ### BitLocker key package + If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. -**Note**   -You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. + +>**Note:**  You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.   The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). + ## Resetting recovery passwords + You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. + You can reset the recovery password in two ways: + - **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. - **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. + **To reset a recovery password using manage-bde** + 1. Remove the previous recovery password + ``` syntax Manage-bde –protectors –delete C: –type RecoveryPassword ``` + 2. Add the new recovery password + ``` syntax Manage-bde –protectors –add C: -RecoveryPassword + ``` + 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. + ``` syntax Manage-bde –protectors –get C: -Type RecoveryPassword + ``` 4. Backup the new recovery password to AD DS + ``` syntax Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` - **Warning**   - You must include the braces in the ID string. + >**Warning:**  You must include the braces in the ID string.   **To run the sample recovery password script** + 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. 2. At the command prompt, type a command similar to the following: + **cscript ResetPassword.vbs** -**Important**   -This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. + +>**Important:**  This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.   -**Note**   -To manage a remote computer, you can specify the remote computer name rather than the local computer name. +> **Note:**  To manage a remote computer, you can specify the remote computer name rather than the local computer name.   You can use the following sample script to create a VBScript file to reset the recovery passwords. + ``` syntax ' Target drive letter strDriveLetter = "c:" @@ -291,16 +386,25 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re 'WScript.Echo "" 'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` + ## Retrieving the BitLocker key package + You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): + - **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. + The following sample script exports all previously-saved key packages from AD DS. + **To run the sample key package retrieval script** + 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. 2. At the command prompt, type a command similar to the following: + **cscript GetBitLockerKeyPackageADDS.vbs -?** + You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. + ``` syntax ' -------------------------------------------------------------------------------- ' Usage @@ -615,7 +719,9 @@ Function BinaryToString(Binary) BinaryToString = S End Function ``` + ## See also + - [BitLocker overview](bitlocker-overview.md)