mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
fixing spacing issues
This commit is contained in:
Brian Lich
@ -2,87 +2,137 @@
|
|||||||
title: BitLocker Countermeasures (Windows 10)
|
title: BitLocker Countermeasures (Windows 10)
|
||||||
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
|
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
|
||||||
ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
|
ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
# BitLocker Countermeasures
|
# BitLocker Countermeasures
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
|
Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
|
||||||
BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
|
BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
|
||||||
|
|
||||||
- **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
|
- **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
|
||||||
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
|
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
|
||||||
|
|
||||||
The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
|
The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
|
||||||
|
|
||||||
### Protection before startup
|
### Protection before startup
|
||||||
|
|
||||||
Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
|
Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
|
||||||
|
|
||||||
**Trusted Platform Module**
|
**Trusted Platform Module**
|
||||||
|
|
||||||
Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
|
Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
|
||||||
|
|
||||||
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process.
|
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process.
|
||||||
By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
|
By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
|
||||||
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
|
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
|
||||||
|
|
||||||
**UEFI and Secure Boot**
|
**UEFI and Secure Boot**
|
||||||
|
|
||||||
No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
|
No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
|
||||||
|
|
||||||
The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
|
The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
|
||||||
|
|
||||||
Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
|
Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
|
||||||
|
|
||||||
Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
|
Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
|
||||||
With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
|
With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Figure 1.** The BIOS and UEFI startup processes
|
**Figure 1.** The BIOS and UEFI startup processes
|
||||||
With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
|
|
||||||
|
With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature.
|
||||||
|
Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
|
||||||
|
|
||||||
If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
|
If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
|
||||||
|
|
||||||
All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot:
|
All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot:
|
||||||
|
|
||||||
- They must have Secure Boot enabled by default.
|
- They must have Secure Boot enabled by default.
|
||||||
- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
|
- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
|
||||||
- They must allow the user to configure Secure Boot to trust other signed bootloaders.
|
- They must allow the user to configure Secure Boot to trust other signed bootloaders.
|
||||||
- Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
|
- Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
|
||||||
|
|
||||||
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
|
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
|
||||||
- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of Secure Boot on Windows-certified devices.
|
|
||||||
|
- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of
|
||||||
|
Secure Boot on Windows-certified devices.
|
||||||
|
|
||||||
- **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
|
- **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
|
||||||
- **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
|
- **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
|
||||||
|
|
||||||
To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
|
To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
|
||||||
Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
|
Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
|
||||||
UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
|
UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
|
||||||
|
|
||||||
For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx).
|
For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx).
|
||||||
|
|
||||||
### Protection during pre-boot: Pre-boot authentication
|
### Protection during pre-boot: Pre-boot authentication
|
||||||
|
|
||||||
Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
|
Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
|
||||||
|
|
||||||
If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
|
If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
|
||||||
|
|
||||||
The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
|
The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
|
||||||
|
|
||||||
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
|
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
|
||||||
|
|
||||||
- **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
|
- **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
|
||||||
- **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
|
- **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
|
||||||
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
|
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
|
||||||
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
|
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
|
||||||
|
|
||||||
For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
|
For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
|
||||||
|
|
||||||
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
|
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
|
||||||
|
|
||||||
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
|
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
|
||||||
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
|
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
|
||||||
|
|
||||||
You can mitigate the risk of booting to a malicious operating system:
|
You can mitigate the risk of booting to a malicious operating system:
|
||||||
|
|
||||||
- **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
|
- **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
|
||||||
- **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
|
- **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
|
||||||
|
|
||||||
### Protection During Startup
|
### Protection During Startup
|
||||||
|
|
||||||
During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
|
During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
|
||||||
|
|
||||||
**Trusted Boot**
|
**Trusted Boot**
|
||||||
|
|
||||||
Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
|
Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
|
||||||
|
|
||||||
Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
|
Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
|
||||||
|
|
||||||
**Early Launch Antimalware**
|
**Early Launch Antimalware**
|
||||||
|
|
||||||
Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
|
Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
|
||||||
|
|
||||||
The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
|
The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
|
||||||
|
|
||||||
With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
|
With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
|
||||||
ELAM classifies drivers as follows:
|
ELAM classifies drivers as follows:
|
||||||
|
|
||||||
- **Good.** The driver has been signed and has not been tampered with.
|
- **Good.** The driver has been signed and has not been tampered with.
|
||||||
- **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
|
- **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
|
||||||
- **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
|
- **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
|
||||||
- **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
|
- **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
|
||||||
|
|
||||||
While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
|
While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
|
||||||
|
|
||||||
### Protection After Startup: eliminate DMA availability
|
### Protection After Startup: eliminate DMA availability
|
||||||
|
|
||||||
Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
|
Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
|
||||||
|
|
||||||
## See also
|
## See also
|
||||||
- [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
|
- [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
|
||||||
- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
|
- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
|
||||||
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
|
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
|
||||||
- [BitLocker overview](bitlocker-overview.md)
|
- [BitLocker overview](bitlocker-overview.md)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -2,17 +2,22 @@
|
|||||||
title: BitLocker frequently asked questions (FAQ) (Windows 10)
|
title: BitLocker frequently asked questions (FAQ) (Windows 10)
|
||||||
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
||||||
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
|
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
# BitLocker frequently asked questions (FAQ)
|
# BitLocker frequently asked questions (FAQ)
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
|
||||||
|
|
||||||
BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
|
BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
|
||||||
|
|
||||||
- [Overview and requirements](#bkmk-overview)
|
- [Overview and requirements](#bkmk-overview)
|
||||||
- [Upgrading](#bkmk-upgrading)
|
- [Upgrading](#bkmk-upgrading)
|
||||||
- [Deployment and administration](#bkmk-deploy)
|
- [Deployment and administration](#bkmk-deploy)
|
||||||
@ -22,43 +27,75 @@ BitLocker is a data protection feature that encrypts the hard drives on your com
|
|||||||
- [Security](#bkmk-security)
|
- [Security](#bkmk-security)
|
||||||
- [BitLocker Network Unlock](#bkmk-bnusect)
|
- [BitLocker Network Unlock](#bkmk-bnusect)
|
||||||
- [Other questions](#bkmk-other)
|
- [Other questions](#bkmk-other)
|
||||||
|
|
||||||
## <a href="" id="bkmk-overview"></a>Overview and requirements
|
## <a href="" id="bkmk-overview"></a>Overview and requirements
|
||||||
|
|
||||||
### <a href="" id="bkmk-whatisbitlocker"></a>How does BitLocker work?
|
### <a href="" id="bkmk-whatisbitlocker"></a>How does BitLocker work?
|
||||||
|
|
||||||
**How BitLocker works with operating system drives**
|
**How BitLocker works with operating system drives**
|
||||||
|
|
||||||
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
|
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
|
||||||
|
|
||||||
**How BitLocker works with fixed and removable data drives**
|
**How BitLocker works with fixed and removable data drives**
|
||||||
|
|
||||||
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
|
You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
|
||||||
|
|
||||||
### <a href="" id="bkmk-multifactorsupport"></a>Does BitLocker support multifactor authentication?
|
### <a href="" id="bkmk-multifactorsupport"></a>Does BitLocker support multifactor authentication?
|
||||||
|
|
||||||
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
|
Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
|
||||||
|
|
||||||
### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
|
### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
|
||||||
**Note**
|
|
||||||
Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
|
> **Note:** Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
|
||||||
|
|
||||||
### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
|
### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
|
||||||
|
|
||||||
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
|
Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
|
||||||
|
|
||||||
### <a href="" id="bkmk-tpmchipsupport"></a>Which Trusted Platform Modules (TPMs) does BitLocker support?
|
### <a href="" id="bkmk-tpmchipsupport"></a>Which Trusted Platform Modules (TPMs) does BitLocker support?
|
||||||
|
|
||||||
BitLocker supports TPM version 1.2 or higher.
|
BitLocker supports TPM version 1.2 or higher.
|
||||||
|
|
||||||
### <a href="" id="bkmk-havetpm"></a>How can I tell if a TPM is on my computer?
|
### <a href="" id="bkmk-havetpm"></a>How can I tell if a TPM is on my computer?
|
||||||
|
|
||||||
Open the TPM MMC console (tpm.msc) and look under the **Status** heading.
|
Open the TPM MMC console (tpm.msc) and look under the **Status** heading.
|
||||||
|
|
||||||
### <a href="" id="bkmk-notpm"></a>Can I use BitLocker on an operating system drive without a TPM?
|
### <a href="" id="bkmk-notpm"></a>Can I use BitLocker on an operating system drive without a TPM?
|
||||||
|
|
||||||
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
|
Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
|
||||||
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
|
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
|
||||||
|
|
||||||
### <a href="" id="bkmk-biossupport"></a>How do I obtain BIOS support for the TPM on my computer?
|
### <a href="" id="bkmk-biossupport"></a>How do I obtain BIOS support for the TPM on my computer?
|
||||||
|
|
||||||
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
|
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
|
||||||
|
|
||||||
- It is compliant with the TCG standards for a client computer.
|
- It is compliant with the TCG standards for a client computer.
|
||||||
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
|
- It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
|
||||||
|
|
||||||
### <a href="" id="bkmk-privs"></a>What credentials are required to use BitLocker?
|
### <a href="" id="bkmk-privs"></a>What credentials are required to use BitLocker?
|
||||||
|
|
||||||
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
|
To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
|
||||||
|
|
||||||
### <a href="" id="bkmk-bootorder"></a>What is the recommended boot order for computers that are going to be BitLocker-protected?
|
### <a href="" id="bkmk-bootorder"></a>What is the recommended boot order for computers that are going to be BitLocker-protected?
|
||||||
|
|
||||||
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.
|
You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.
|
||||||
|
|
||||||
## <a href="" id="bkmk-upgrading"></a>Upgrading
|
## <a href="" id="bkmk-upgrading"></a>Upgrading
|
||||||
|
|
||||||
### <a href="" id="bkmk-upgradev27"></a>Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled?
|
### <a href="" id="bkmk-upgradev27"></a>Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled?
|
||||||
|
|
||||||
Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key.
|
Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key.
|
||||||
|
|
||||||
### <a href="" id="bkmk-disabledecrypt"></a>What is the difference between suspending and decrypting BitLocker?
|
### <a href="" id="bkmk-disabledecrypt"></a>What is the difference between suspending and decrypting BitLocker?
|
||||||
|
|
||||||
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
|
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
|
||||||
|
|
||||||
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
|
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
|
||||||
|
|
||||||
### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
|
### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
|
||||||
|
|
||||||
The following table lists what action you need to take before you perform an upgrade or update installation.
|
The following table lists what action you need to take before you perform an upgrade or update installation.
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<colgroup>
|
<colgroup>
|
||||||
<col width="50%" />
|
<col width="50%" />
|
||||||
@ -95,142 +132,253 @@ The following table lists what action you need to take before you perform an upg
|
|||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
**Note**
|
> **Note:** If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
|
||||||
If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
|
|
||||||
|
|
||||||
## <a href="" id="bkmk-deploy"></a>Deployment and administration
|
## <a href="" id="bkmk-deploy"></a>Deployment and administration
|
||||||
|
|
||||||
### <a href="" id="bkmk-automate"></a>Can BitLocker deployment be automated in an enterprise environment?
|
### <a href="" id="bkmk-automate"></a>Can BitLocker deployment be automated in an enterprise environment?
|
||||||
|
|
||||||
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
|
Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx).
|
||||||
|
|
||||||
### <a href="" id="bkmk-os"></a>Can BitLocker encrypt more than just the operating system drive?
|
### <a href="" id="bkmk-os"></a>Can BitLocker encrypt more than just the operating system drive?
|
||||||
|
|
||||||
Yes.
|
Yes.
|
||||||
|
|
||||||
### <a href="" id="bkmk-performance"></a>Is there a noticeable performance impact when BitLocker is enabled on a computer?
|
### <a href="" id="bkmk-performance"></a>Is there a noticeable performance impact when BitLocker is enabled on a computer?
|
||||||
|
|
||||||
Generally it imposes a single-digit percentage performance overhead.
|
Generally it imposes a single-digit percentage performance overhead.
|
||||||
|
|
||||||
### <a href="" id="bkmk-longencrypt"></a>How long will initial encryption take when BitLocker is turned on?
|
### <a href="" id="bkmk-longencrypt"></a>How long will initial encryption take when BitLocker is turned on?
|
||||||
|
|
||||||
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
|
Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
|
||||||
|
|
||||||
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
|
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
|
||||||
|
|
||||||
### <a href="" id="bkmk-turnoff"></a>What happens if the computer is turned off during encryption or decryption?
|
### <a href="" id="bkmk-turnoff"></a>What happens if the computer is turned off during encryption or decryption?
|
||||||
|
|
||||||
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
|
If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
|
||||||
|
|
||||||
### <a href="" id="bkmk-entiredisk"></a>Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
|
### <a href="" id="bkmk-entiredisk"></a>Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
|
||||||
|
|
||||||
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
|
||||||
|
|
||||||
### <a href="" id="bkmk-dataunencryptpart"></a>How can I prevent users on a network from storing data on an unencrypted drive?
|
### <a href="" id="bkmk-dataunencryptpart"></a>How can I prevent users on a network from storing data on an unencrypted drive?
|
||||||
|
|
||||||
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
|
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
|
||||||
|
|
||||||
### <a href="" id="bkmk-integrityfail"></a>What system changes would cause the integrity check on my operating system drive to fail?
|
### <a href="" id="bkmk-integrityfail"></a>What system changes would cause the integrity check on my operating system drive to fail?
|
||||||
|
|
||||||
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
|
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
|
||||||
|
|
||||||
- Moving the BitLocker-protected drive into a new computer.
|
- Moving the BitLocker-protected drive into a new computer.
|
||||||
- Installing a new motherboard with a new TPM.
|
- Installing a new motherboard with a new TPM.
|
||||||
- Turning off, disabling, or clearing the TPM.
|
- Turning off, disabling, or clearing the TPM.
|
||||||
- Changing any boot configuration settings.
|
- Changing any boot configuration settings.
|
||||||
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
|
- Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
|
||||||
|
|
||||||
### <a href="" id="bkmk-examplesosrec"></a>What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
|
### <a href="" id="bkmk-examplesosrec"></a>What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
|
||||||
|
|
||||||
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
|
||||||
|
|
||||||
### <a href="" id="bkmk-driveswap"></a>Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
|
### <a href="" id="bkmk-driveswap"></a>Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
|
||||||
|
|
||||||
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
|
Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
|
||||||
|
|
||||||
### <a href="" id="bkmk-altpc"></a>Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
|
### <a href="" id="bkmk-altpc"></a>Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
|
||||||
|
|
||||||
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
|
||||||
|
|
||||||
### <a href="" id="bkmk-noturnon"></a>Why is "Turn BitLocker on" not available when I right-click a drive?
|
### <a href="" id="bkmk-noturnon"></a>Why is "Turn BitLocker on" not available when I right-click a drive?
|
||||||
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
|
Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
|
||||||
|
|
||||||
### <a href="" id="bkmk-r2disks"></a>What type of disk configurations are supported by BitLocker?
|
### <a href="" id="bkmk-r2disks"></a>What type of disk configurations are supported by BitLocker?
|
||||||
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
|
Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
|
||||||
|
|
||||||
## <a href="" id="bkmk-keymanagement"></a>Key management
|
## <a href="" id="bkmk-keymanagement"></a>Key management
|
||||||
|
|
||||||
### <a href="" id="bkmk-key"></a>What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?
|
### <a href="" id="bkmk-key"></a>What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key?
|
||||||
|
|
||||||
There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
|
There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
|
||||||
|
|
||||||
### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
|
### <a href="" id="bkmk-recoverypass"></a>How can the recovery password and recovery key be stored?
|
||||||
|
|
||||||
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
|
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
|
||||||
|
|
||||||
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
|
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
|
||||||
|
|
||||||
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
|
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
|
||||||
|
|
||||||
### <a href="" id="bkmk-enableauthwodecrypt"></a>Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
|
### <a href="" id="bkmk-enableauthwodecrypt"></a>Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
|
||||||
|
|
||||||
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use:
|
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use:
|
||||||
**manage-bde –protectors –delete %systemdrive% -type tpm**
|
|
||||||
**manage-bde –protectors –add %systemdrive% -tpmandpin** *<4-20 digit numeric PIN>*
|
`manage-bde –protectors –delete %systemdrive% -type tpm`
|
||||||
|
|
||||||
|
`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
|
||||||
|
|
||||||
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
|
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
|
||||||
|
|
||||||
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
|
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
|
||||||
**Important**
|
|
||||||
Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
|
>**Important:** Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
|
||||||
|
|
||||||
### <a href="" id="bkmk-usbdrive"></a>Can the USB flash drive that is used as the startup key also be used to store the recovery key?
|
### <a href="" id="bkmk-usbdrive"></a>Can the USB flash drive that is used as the startup key also be used to store the recovery key?
|
||||||
|
|
||||||
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
|
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
|
||||||
|
|
||||||
### <a href="" id="bkmk-startupkey"></a>Can I save the startup key on multiple USB flash drives?
|
### <a href="" id="bkmk-startupkey"></a>Can I save the startup key on multiple USB flash drives?
|
||||||
|
|
||||||
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
|
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
|
||||||
|
|
||||||
### <a href="" id="bkmk-multikeyoneusb"></a>Can I save multiple (different) startup keys on the same USB flash drive?
|
### <a href="" id="bkmk-multikeyoneusb"></a>Can I save multiple (different) startup keys on the same USB flash drive?
|
||||||
|
|
||||||
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
|
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
|
||||||
|
|
||||||
### <a href="" id="bkmk-multikey"></a>Can I generate multiple (different) startup keys for the same computer?
|
### <a href="" id="bkmk-multikey"></a>Can I generate multiple (different) startup keys for the same computer?
|
||||||
|
|
||||||
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
|
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
|
||||||
|
|
||||||
### <a href="" id="bkmk-multipin"></a>Can I generate multiple PIN combinations?
|
### <a href="" id="bkmk-multipin"></a>Can I generate multiple PIN combinations?
|
||||||
|
|
||||||
You cannot generate multiple PIN combinations.
|
You cannot generate multiple PIN combinations.
|
||||||
|
|
||||||
### <a href="" id="bkmk-encryptkeys"></a>What encryption keys are used in BitLocker? How do they work together?
|
### <a href="" id="bkmk-encryptkeys"></a>What encryption keys are used in BitLocker? How do they work together?
|
||||||
|
|
||||||
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
|
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
|
||||||
|
|
||||||
### <a href="" id="bkmk-keystorage"></a>Where are the encryption keys stored?
|
### <a href="" id="bkmk-keystorage"></a>Where are the encryption keys stored?
|
||||||
|
|
||||||
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
|
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
|
||||||
|
|
||||||
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
|
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
|
||||||
|
|
||||||
### <a href="" id="bkmk-funckey"></a>Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
|
### <a href="" id="bkmk-funckey"></a>Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
|
||||||
|
|
||||||
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
|
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
|
||||||
|
|
||||||
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
|
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
|
||||||
|
|
||||||
### <a href="" id="bkmk-youbrute"></a>How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
|
### <a href="" id="bkmk-youbrute"></a>How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
|
||||||
|
|
||||||
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
|
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
|
||||||
|
|
||||||
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
|
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
|
||||||
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
|
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
|
||||||
|
|
||||||
### <a href="" id="bkmk-tpmprov"></a>How can I determine the manufacturer of my TPM?
|
### <a href="" id="bkmk-tpmprov"></a>How can I determine the manufacturer of my TPM?
|
||||||
|
|
||||||
You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
|
You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading.
|
||||||
|
|
||||||
### <a href="" id="bkmk-tpmdam"></a>How can I evaluate a TPM's dictionary attack mitigation mechanism?
|
### <a href="" id="bkmk-tpmdam"></a>How can I evaluate a TPM's dictionary attack mitigation mechanism?
|
||||||
|
|
||||||
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
|
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
|
||||||
|
|
||||||
- How many failed authorization attempts can occur before lockout?
|
- How many failed authorization attempts can occur before lockout?
|
||||||
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
|
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
|
||||||
- What actions can cause the failure count and lockout duration to be decreased or reset?
|
- What actions can cause the failure count and lockout duration to be decreased or reset?
|
||||||
|
|
||||||
### <a href="" id="bkmk-pinlength"></a>Can PIN length and complexity be managed with Group Policy?
|
### <a href="" id="bkmk-pinlength"></a>Can PIN length and complexity be managed with Group Policy?
|
||||||
|
|
||||||
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
|
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
|
||||||
|
|
||||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||||
|
|
||||||
## <a href="" id="bkmk-btgsect"></a>BitLocker To Go
|
## <a href="" id="bkmk-btgsect"></a>BitLocker To Go
|
||||||
|
|
||||||
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
|
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.
|
||||||
|
|
||||||
## <a href="" id="bkmk-adds"></a>Active Directory Domain Services (AD DS)
|
## <a href="" id="bkmk-adds"></a>Active Directory Domain Services (AD DS)
|
||||||
|
|
||||||
### What if BitLocker is enabled on a computer before the computer has joined the domain?
|
### What if BitLocker is enabled on a computer before the computer has joined the domain?
|
||||||
|
|
||||||
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
|
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
|
||||||
|
|
||||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||||
|
|
||||||
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
|
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
|
||||||
**Important**
|
|
||||||
Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
|
>**Important:** Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
|
||||||
|
|
||||||
### <a href="" id="bkmk-addseventlog"></a>Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
|
### <a href="" id="bkmk-addseventlog"></a>Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
|
||||||
|
|
||||||
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
|
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
|
||||||
|
|
||||||
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
|
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
|
||||||
|
|
||||||
### <a href="" id="bkmk-refresh"></a>If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
|
### <a href="" id="bkmk-refresh"></a>If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
|
||||||
|
|
||||||
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
|
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
|
||||||
|
|
||||||
### <a href="" id="bkmk-adbackupfails"></a>What happens if the backup initially fails? Will BitLocker retry the backup?
|
### <a href="" id="bkmk-adbackupfails"></a>What happens if the backup initially fails? Will BitLocker retry the backup?
|
||||||
|
|
||||||
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
|
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
|
||||||
|
|
||||||
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
|
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
|
||||||
|
|
||||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||||
|
|
||||||
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
|
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
|
||||||
|
|
||||||
## <a href="" id="bkmk-security"></a>Security
|
## <a href="" id="bkmk-security"></a>Security
|
||||||
|
|
||||||
### <a href="" id="bkmk-form"></a>What form of encryption does BitLocker use? Is it configurable?
|
### <a href="" id="bkmk-form"></a>What form of encryption does BitLocker use? Is it configurable?
|
||||||
|
|
||||||
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
|
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
|
||||||
|
|
||||||
### <a href="" id="bkmk-config"></a>What is the best practice for using BitLocker on an operating system drive?
|
### <a href="" id="bkmk-config"></a>What is the best practice for using BitLocker on an operating system drive?
|
||||||
|
|
||||||
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
|
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
|
||||||
|
|
||||||
### <a href="" id="bkmk-sleep"></a>What are the implications of using the sleep or hibernate power management options?
|
### <a href="" id="bkmk-sleep"></a>What are the implications of using the sleep or hibernate power management options?
|
||||||
|
|
||||||
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
|
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
|
||||||
|
|
||||||
### <a href="" id="bkmk-root"></a>What are the advantages of a TPM?
|
### <a href="" id="bkmk-root"></a>What are the advantages of a TPM?
|
||||||
|
|
||||||
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
|
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
|
||||||
**Note**
|
|
||||||
Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
|
>**Note:** Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
|
||||||
|
|
||||||
## <a href="" id="bkmk-bnusect"></a>BitLocker Network Unlock
|
## <a href="" id="bkmk-bnusect"></a>BitLocker Network Unlock
|
||||||
|
|
||||||
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
|
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
|
||||||
|
|
||||||
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
|
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
|
||||||
|
|
||||||
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
|
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
|
||||||
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
|
|
||||||
|
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
|
||||||
|
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
|
||||||
|
|
||||||
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
|
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
|
||||||
|
|
||||||
## <a href="" id="bkmk-other"></a>Other questions
|
## <a href="" id="bkmk-other"></a>Other questions
|
||||||
|
|
||||||
### <a href="" id="bkmk-kernel"></a>Can I run a kernel debugger with BitLocker?
|
### <a href="" id="bkmk-kernel"></a>Can I run a kernel debugger with BitLocker?
|
||||||
|
|
||||||
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
|
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
|
||||||
|
|
||||||
### <a href="" id="bkmk-errorreports"></a>How does BitLocker handle memory dumps?
|
### <a href="" id="bkmk-errorreports"></a>How does BitLocker handle memory dumps?
|
||||||
|
|
||||||
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
|
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
|
||||||
|
|
||||||
### <a href="" id="bkmk-smart"></a>Can BitLocker support smart cards for pre-boot authentication?
|
### <a href="" id="bkmk-smart"></a>Can BitLocker support smart cards for pre-boot authentication?
|
||||||
|
|
||||||
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
|
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
|
||||||
|
|
||||||
### <a href="" id="bkmk-driver"></a>Can I use a non-Microsoft TPM driver?
|
### <a href="" id="bkmk-driver"></a>Can I use a non-Microsoft TPM driver?
|
||||||
|
|
||||||
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
|
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
|
||||||
|
|
||||||
### <a href="" id="bkmk-mbr"></a>Can other tools that manage or modify the master boot record work with BitLocker?
|
### <a href="" id="bkmk-mbr"></a>Can other tools that manage or modify the master boot record work with BitLocker?
|
||||||
|
|
||||||
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
|
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
|
||||||
|
|
||||||
### <a href="" id="bkmk-syschkfail"></a>Why is the system check failing when I am encrypting my operating system drive?
|
### <a href="" id="bkmk-syschkfail"></a>Why is the system check failing when I am encrypting my operating system drive?
|
||||||
|
|
||||||
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
|
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
|
||||||
|
|
||||||
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
|
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
|
||||||
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
|
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
|
||||||
- There are multiple USB flash drives inserted into the computer.
|
- There are multiple USB flash drives inserted into the computer.
|
||||||
@ -238,27 +386,45 @@ The system check is designed to ensure your computer's BIOS or UEFI firmware is
|
|||||||
- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
|
- The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
|
||||||
- The startup key was removed before the computer finished rebooting.
|
- The startup key was removed before the computer finished rebooting.
|
||||||
- The TPM has malfunctioned and fails to unseal the keys.
|
- The TPM has malfunctioned and fails to unseal the keys.
|
||||||
|
|
||||||
### <a href="" id="bkmk-usbkeyfail"></a>What can I do if the recovery key on my USB flash drive cannot be read?
|
### <a href="" id="bkmk-usbkeyfail"></a>What can I do if the recovery key on my USB flash drive cannot be read?
|
||||||
|
|
||||||
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
|
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
|
||||||
|
|
||||||
### <a href="" id="bkmk-usbkeynosave"></a>Why am I unable to save my recovery key to my USB flash drive?
|
### <a href="" id="bkmk-usbkeynosave"></a>Why am I unable to save my recovery key to my USB flash drive?
|
||||||
|
|
||||||
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
|
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
|
||||||
|
|
||||||
### <a href="" id="bkmk-noautounlock"></a>Why am I unable to automatically unlock my drive?
|
### <a href="" id="bkmk-noautounlock"></a>Why am I unable to automatically unlock my drive?
|
||||||
|
|
||||||
Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
|
Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
|
||||||
|
|
||||||
### <a href="" id="bkmk-blsafemode"></a>Can I use BitLocker in Safe Mode?
|
### <a href="" id="bkmk-blsafemode"></a>Can I use BitLocker in Safe Mode?
|
||||||
|
|
||||||
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
|
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
|
||||||
|
|
||||||
### <a href="" id="bkmk-lockdata"></a>How do I "lock" a data drive?
|
### <a href="" id="bkmk-lockdata"></a>How do I "lock" a data drive?
|
||||||
|
|
||||||
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
|
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
|
||||||
**Note**
|
|
||||||
Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
|
>**Note:** Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
|
||||||
|
|
||||||
The syntax of this command is:
|
The syntax of this command is:
|
||||||
**manage-bde** *<driveletter>* **-lock**
|
|
||||||
|
`manage-bde <driveletter> -lock`
|
||||||
|
|
||||||
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
|
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
|
||||||
|
|
||||||
### <a href="" id="bkmk-shadowcopy"></a>Can I use BitLocker with the Volume Shadow Copy Service?
|
### <a href="" id="bkmk-shadowcopy"></a>Can I use BitLocker with the Volume Shadow Copy Service?
|
||||||
|
|
||||||
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
|
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
|
||||||
|
|
||||||
### <a href="" id="bkmk-vhd"></a>Does BitLocker support virtual hard disks (VHDs)?
|
### <a href="" id="bkmk-vhd"></a>Does BitLocker support virtual hard disks (VHDs)?
|
||||||
|
|
||||||
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
|
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
|
||||||
|
|
||||||
## More information
|
## More information
|
||||||
|
|
||||||
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
||||||
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
|
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
|
||||||
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
|
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
|
||||||
@ -267,5 +433,3 @@ BitLocker is not supported on bootable VHDs, but BitLocker is supported on data
|
|||||||
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
|
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
|
||||||
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
|
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
|
||||||
- [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d)
|
- [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -2,22 +2,31 @@
|
|||||||
title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10)
|
title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10)
|
||||||
description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
|
description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
|
||||||
ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
|
ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
# BitLocker: How to deploy on Windows Server 2012 and later
|
# BitLocker: How to deploy on Windows Server 2012 and later
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
|
This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
|
||||||
|
|
||||||
For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
|
For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
|
||||||
|
|
||||||
## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
|
## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
|
||||||
|
|
||||||
BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets.
|
BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets.
|
||||||
|
|
||||||
- To install BitLocker using Server Manager
|
- To install BitLocker using Server Manager
|
||||||
- To install BitLocker using Windows PowerShell
|
- To install BitLocker using Windows PowerShell
|
||||||
|
|
||||||
### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
|
### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
|
||||||
|
|
||||||
1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
|
1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.
|
||||||
2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
|
2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
|
||||||
3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown).
|
3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown).
|
||||||
@ -25,32 +34,42 @@ BitLocker requires administrator privileges on the server to install. You can in
|
|||||||
5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install.
|
5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install.
|
||||||
6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
|
6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
|
||||||
7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
|
7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
|
||||||
**Note**
|
|
||||||
The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.
|
> **Note:** The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.
|
||||||
|
|
||||||
8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete.
|
8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete.
|
||||||
9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
|
9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
|
||||||
|
|
||||||
### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
|
### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
|
||||||
|
|
||||||
Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation.
|
Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation.
|
||||||
**Note**
|
|
||||||
You must restart the server to complete the installation of BitLocker.
|
>**Note:** You must restart the server to complete the installation of BitLocker.
|
||||||
|
|
||||||
### Using the servermanager module to install BitLocker
|
### Using the servermanager module to install BitLocker
|
||||||
|
|
||||||
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as:
|
The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Get-WindowsFeature Bit
|
Get-WindowsFeature Bit
|
||||||
```
|
```
|
||||||
The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature.
|
The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature.
|
||||||
|
|
||||||
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
|
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Install-WindowsFeature BitLocker -WhatIf
|
Install-WindowsFeature BitLocker -WhatIf
|
||||||
```
|
```
|
||||||
The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
|
The results of this command show that only the BitLocker Drive Encryption feature installs using this command.
|
||||||
|
|
||||||
To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
|
To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
|
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
|
||||||
```
|
```
|
||||||
|
|
||||||
The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
|
The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
|
||||||
|
|
||||||
- BitLocker Drive Encryption
|
- BitLocker Drive Encryption
|
||||||
- BitLocker Drive Encryption Tools
|
- BitLocker Drive Encryption Tools
|
||||||
- BitLocker Drive Encryption Administration Utilities
|
- BitLocker Drive Encryption Administration Utilities
|
||||||
@ -58,31 +77,39 @@ The result of this command displays the following list of all the administration
|
|||||||
- AD DS Snap-Ins and Command-Line Tools
|
- AD DS Snap-Ins and Command-Line Tools
|
||||||
- AD DS Tools
|
- AD DS Tools
|
||||||
- AD DS and AD LDS Tools
|
- AD DS and AD LDS Tools
|
||||||
|
|
||||||
The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
|
The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
|
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
|
||||||
```
|
```
|
||||||
**Important**
|
|
||||||
Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
|
>**Important:** Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
|
||||||
|
|
||||||
### Using the dism module to install BitLocker
|
### Using the dism module to install BitLocker
|
||||||
|
|
||||||
The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
|
The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Get-WindowsOptionalFeature -Online | ft
|
Get-WindowsOptionalFeature -Online | ft
|
||||||
```
|
```
|
||||||
|
|
||||||
From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
|
From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
|
||||||
|
|
||||||
To install BitLocker using the `dism` module, use the following command:
|
To install BitLocker using the `dism` module, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
|
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
|
||||||
```
|
```
|
||||||
|
|
||||||
This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
|
This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
|
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
|
||||||
```
|
```
|
||||||
## More information
|
## More information
|
||||||
[BitLocker overview](bitlocker-overview.md)
|
|
||||||
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
|
- [BitLocker overview](bitlocker-overview.md)
|
||||||
[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
|
||||||
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
|
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
||||||
|
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
|
||||||
|
|
||||||
|
|||||||
@ -2,20 +2,27 @@
|
|||||||
title: BitLocker How to enable Network Unlock (Windows 10)
|
title: BitLocker How to enable Network Unlock (Windows 10)
|
||||||
description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
||||||
ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
|
ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
# BitLocker: How to enable Network Unlock
|
# BitLocker: How to enable Network Unlock
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
||||||
|
|
||||||
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
|
Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
|
||||||
Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
|
Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
|
||||||
|
|
||||||
Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
|
Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
|
||||||
|
|
||||||
This topic contains:
|
This topic contains:
|
||||||
|
|
||||||
- [Network Unlock core requirements](#bkmk-nunlockcorereqs)
|
- [Network Unlock core requirements](#bkmk-nunlockcorereqs)
|
||||||
- [Network Unlock sequence](#bkmk-networkunlockseq)
|
- [Network Unlock sequence](#bkmk-networkunlockseq)
|
||||||
- [Configure Network Unlock](#bkmk-configuringnetworkunlock)
|
- [Configure Network Unlock](#bkmk-configuringnetworkunlock)
|
||||||
@ -24,8 +31,11 @@ This topic contains:
|
|||||||
- [Update Network Unlock certificates](#bkmk-updatecerts)
|
- [Update Network Unlock certificates](#bkmk-updatecerts)
|
||||||
- [Troubleshoot Network Unlock](#bkmk-troubleshoot)
|
- [Troubleshoot Network Unlock](#bkmk-troubleshoot)
|
||||||
- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems)
|
- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems)
|
||||||
|
|
||||||
## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
|
## <a href="" id="bkmk-nunlockcorereqs"></a>Network Unlock core requirements
|
||||||
|
|
||||||
Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include:
|
Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include:
|
||||||
|
|
||||||
- You must be running at least Windows 8 or Windows Server 2012.
|
- You must be running at least Windows 8 or Windows Server 2012.
|
||||||
- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
|
- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients.
|
||||||
- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
|
- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
|
||||||
@ -33,20 +43,31 @@ Network Unlock must meet mandatory hardware and software requirements before the
|
|||||||
- A DHCP server, separate from the WDS server.
|
- A DHCP server, separate from the WDS server.
|
||||||
- Properly configured public/private key pairing.
|
- Properly configured public/private key pairing.
|
||||||
- Network Unlock Group Policy settings configured.
|
- Network Unlock Group Policy settings configured.
|
||||||
|
|
||||||
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
|
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
|
||||||
**Note**
|
|
||||||
To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
|
>**Note:** To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
|
||||||
|
|
||||||
For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
|
For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
|
||||||
|
|
||||||
The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
|
The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
|
||||||
|
|
||||||
Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server.
|
Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server.
|
||||||
|
|
||||||
The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
|
The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
|
||||||
|
|
||||||
## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
|
## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
|
||||||
|
|
||||||
The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
|
The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
|
||||||
|
|
||||||
On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
|
On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
|
||||||
|
|
||||||
The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
|
The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Phases in the Network Unlock process**
|
**Phases in the Network Unlock process**
|
||||||
|
|
||||||
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
|
1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration.
|
||||||
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
|
2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address.
|
||||||
3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
|
3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
|
||||||
@ -56,50 +77,75 @@ The server side configuration to enable Network Unlock also requires provisionin
|
|||||||
7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM.
|
7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM.
|
||||||
8. This combined key is used to create an AES-256 key that unlocks the volume.
|
8. This combined key is used to create an AES-256 key that unlocks the volume.
|
||||||
9. Windows continues the boot sequence.
|
9. Windows continues the boot sequence.
|
||||||
|
|
||||||
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
|
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
|
||||||
|
|
||||||
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
|
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
|
||||||
|
|
||||||
### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
|
### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
|
||||||
|
|
||||||
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
|
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
|
||||||
|
|
||||||
To install the role using Windows PowerShell, use the following command:
|
To install the role using Windows PowerShell, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Install-WindowsFeature WDS-Deployment
|
Install-WindowsFeature WDS-Deployment
|
||||||
```
|
```
|
||||||
|
|
||||||
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
|
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
|
||||||
|
|
||||||
### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
|
### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
|
||||||
|
|
||||||
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
|
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
|
||||||
|
|
||||||
To confirm the service is running using Windows PowerShell, use the following command:
|
To confirm the service is running using Windows PowerShell, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Get-Service WDSServer
|
Get-Service WDSServer
|
||||||
```
|
```
|
||||||
### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
|
### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
|
||||||
|
|
||||||
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
|
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
|
||||||
|
|
||||||
To install the feature using Windows PowerShell, use the following command:
|
To install the feature using Windows PowerShell, use the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Install-WindowsFeature BitLocker-NetworkUnlock
|
Install-WindowsFeature BitLocker-NetworkUnlock
|
||||||
```
|
```
|
||||||
### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
|
### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
|
||||||
|
|
||||||
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
|
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
|
||||||
|
|
||||||
To enroll a certificate from an existing certification authority (CA), do the following:
|
To enroll a certificate from an existing certification authority (CA), do the following:
|
||||||
|
|
||||||
1. Open Certificate Manager on the WDS server using **certmgr.msc**
|
1. Open Certificate Manager on the WDS server using **certmgr.msc**
|
||||||
2. Under the Certificates - Current User item, right-click Personal
|
2. Under the Certificates - Current User item, right-click Personal
|
||||||
3. Select All Tasks, then **Request New Certificate**
|
3. Select All Tasks, then **Request New Certificate**
|
||||||
4. Select **Next** when the Certificate Enrollment wizard opens
|
4. Select **Next** when the Certificate Enrollment wizard opens
|
||||||
5. Select Active Directory Enrollment Policy
|
5. Select Active Directory Enrollment Policy
|
||||||
6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate:
|
6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate:
|
||||||
|
|
||||||
- Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain"
|
- Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain"
|
||||||
|
|
||||||
7. Create the certificate. Ensure the certificate appears in the Personal folder.
|
7. Create the certificate. Ensure the certificate appears in the Personal folder.
|
||||||
8. Export the public key certificate for Network Unlock
|
8. Export the public key certificate for Network Unlock
|
||||||
|
|
||||||
1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
|
1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
|
||||||
2. Select **No, do not export the private key**.
|
2. Select **No, do not export the private key**.
|
||||||
3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
|
3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
|
||||||
4. Give the file a name such as BitLocker-NetworkUnlock.cer.
|
4. Give the file a name such as BitLocker-NetworkUnlock.cer.
|
||||||
|
|
||||||
9. Export the public key with a private key for Network Unlock
|
9. Export the public key with a private key for Network Unlock
|
||||||
|
|
||||||
1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
|
1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
|
||||||
2. Select **Yes, export the private key**.
|
2. Select **Yes, export the private key**.
|
||||||
3. Complete the wizard to create the .pfx file.
|
3. Complete the wizard to create the .pfx file.
|
||||||
|
|
||||||
To create a self-signed certificate, do the following:
|
To create a self-signed certificate, do the following:
|
||||||
|
|
||||||
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
|
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
|
||||||
2. Add the following contents to the previously created file:
|
2. Add the following contents to the previously created file:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
[NewRequest]
|
[NewRequest]
|
||||||
Subject="CN=BitLocker Network Unlock certificate"
|
Subject="CN=BitLocker Network Unlock certificate"
|
||||||
@ -117,46 +163,63 @@ To create a self-signed certificate, do the following:
|
|||||||
2.5.29.37 = "{text}"
|
2.5.29.37 = "{text}"
|
||||||
_continue_ = "1.3.6.1.4.1.311.67.1.1"
|
_continue_ = "1.3.6.1.4.1.311.67.1.1"
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
|
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
|
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Verify the previous command properly created the certificate by confirming the .cer file exists
|
4. Verify the previous command properly created the certificate by confirming the .cer file exists
|
||||||
5. Launch the Certificate Manager by running **certmgr.msc**
|
5. Launch the Certificate Manager by running **certmgr.msc**
|
||||||
6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
|
6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
|
||||||
|
|
||||||
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
|
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
|
||||||
|
|
||||||
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
|
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
|
||||||
|
|
||||||
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
|
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
|
||||||
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**
|
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**
|
||||||
3. In the **File to Import** dialog, choose the .pfx file created previously.
|
3. In the **File to Import** dialog, choose the .pfx file created previously.
|
||||||
4. Enter the password used to create the .pfx and complete the wizard.
|
4. Enter the password used to create the .pfx and complete the wizard.
|
||||||
|
|
||||||
### Step Six: Configure Group Policy settings for Network Unlock
|
### Step Six: Configure Group Policy settings for Network Unlock
|
||||||
|
|
||||||
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
|
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
|
||||||
|
|
||||||
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
|
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
|
||||||
|
|
||||||
1. Open Group Policy Management Console (gpmc.msc)
|
1. Open Group Policy Management Console (gpmc.msc)
|
||||||
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
|
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
|
||||||
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
|
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
|
||||||
|
|
||||||
The following steps describe how to deploy the required Group Policy setting:
|
The following steps describe how to deploy the required Group Policy setting:
|
||||||
**Note**
|
|
||||||
The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
|
>**Note:** The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
|
||||||
|
|
||||||
1. Copy the .cer file created for Network Unlock to the domain controller
|
1. Copy the .cer file created for Network Unlock to the domain controller
|
||||||
2. On the domain controller, launch Group Policy Management Console (gpmc.msc)
|
2. On the domain controller, launch Group Policy Management Console (gpmc.msc)
|
||||||
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
|
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
|
||||||
4. Deploy the public certificate to clients
|
4. Deploy the public certificate to clients
|
||||||
|
|
||||||
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
|
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
|
||||||
2. Right-click the folder and choose **Add Network Unlock Certificate**
|
2. Right-click the folder and choose **Add Network Unlock Certificate**
|
||||||
3. Follow the wizard steps and import the .cer file that was copied earlier.
|
3. Follow the wizard steps and import the .cer file that was copied earlier.
|
||||||
**Note**
|
|
||||||
Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
|
>**Note:** Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
|
||||||
|
|
||||||
### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
|
### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
|
||||||
|
|
||||||
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
|
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
|
||||||
|
|
||||||
1. Open Group Policy Management Console (gpmc.msc)
|
1. Open Group Policy Management Console (gpmc.msc)
|
||||||
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
|
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
|
||||||
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
|
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
|
||||||
|
|
||||||
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
|
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
|
||||||
|
|
||||||
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
|
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
|
||||||
|
|
||||||
1. Open the Certificates Template snap-in (certtmpl.msc).
|
1. Open the Certificates Template snap-in (certtmpl.msc).
|
||||||
2. Locate the User template. Right-click the template name and select **Duplicate Template**
|
2. Locate the User template. Right-click the template name and select **Duplicate Template**
|
||||||
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
|
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
|
||||||
@ -170,104 +233,129 @@ The following steps detail how to create a certificate template for use with Bit
|
|||||||
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
|
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
|
||||||
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
|
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
|
||||||
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
|
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
|
||||||
|
|
||||||
- **Name:** **BitLocker Network Unlock**
|
- **Name:** **BitLocker Network Unlock**
|
||||||
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
|
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
|
||||||
|
|
||||||
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
|
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
|
||||||
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
|
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
|
||||||
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
|
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
|
||||||
17. Select **OK** to complete configuration of the template.
|
17. Select **OK** to complete configuration of the template.
|
||||||
|
|
||||||
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
|
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
|
||||||
|
|
||||||
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
|
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
|
||||||
|
|
||||||
### Subnet policy configuration files on WDS Server (Optional)
|
### Subnet policy configuration files on WDS Server (Optional)
|
||||||
|
|
||||||
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
|
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
|
||||||
|
|
||||||
The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
|
The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests.
|
||||||
|
|
||||||
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
|
The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
|
||||||
``` syntax
|
|
||||||
[SUBNETS]
|
[SUBNETS]
|
||||||
SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon
|
SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon
|
||||||
SUBNET2=10.185.252.200/28
|
SUBNET2=10.185.252.200/28
|
||||||
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
|
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
|
||||||
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
|
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
|
||||||
```
|
```
|
||||||
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
|
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
|
||||||
**Note**
|
|
||||||
When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
|
>**Note:** When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
|
||||||
|
|
||||||
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
|
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
|
||||||
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
|
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
|
||||||
``` syntax
|
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
|
||||||
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
|
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
|
||||||
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
|
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
|
||||||
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
|
SUBNET1
|
||||||
SUBNET1
|
;SUBNET2
|
||||||
;SUBNET2
|
SUBNET3
|
||||||
SUBNET3
|
|
||||||
```
|
|
||||||
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
|
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
|
||||||
|
|
||||||
### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
|
### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
|
||||||
|
|
||||||
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
|
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
|
||||||
**Note**
|
|
||||||
Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
|
>**Note:** Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
|
||||||
|
|
||||||
### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
|
### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
|
||||||
|
|
||||||
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
|
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
|
||||||
|
|
||||||
## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
|
## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
|
||||||
|
|
||||||
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
|
Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
|
||||||
|
|
||||||
- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
|
- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
|
||||||
- All required roles and services are installed and started
|
- All required roles and services are installed and started
|
||||||
- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
|
- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
|
||||||
- Group policy for Network Unlock is enabled and linked to the appropriate domains
|
- Group policy for Network Unlock is enabled and linked to the appropriate domains
|
||||||
- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
|
- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
|
||||||
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
|
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Manage-bde –protectors –get C:
|
Manage-bde –protectors –get C:
|
||||||
```
|
```
|
||||||
**Note**
|
>**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
|
||||||
Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
|
|
||||||
|
|
||||||
Files to gather when troubleshooting BitLocker Network Unlock include:
|
Files to gather when troubleshooting BitLocker Network Unlock include:
|
||||||
|
|
||||||
1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log
|
1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log
|
||||||
|
|
||||||
Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging.
|
Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging.
|
||||||
|
|
||||||
1. Start an elevated command prompt and run the following command:
|
1. Start an elevated command prompt and run the following command:
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
|
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
|
||||||
```
|
```
|
||||||
2. Open Event Viewer on the WDS server.
|
2. Open Event Viewer on the WDS server.
|
||||||
|
|
||||||
In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**.
|
In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**.
|
||||||
|
|
||||||
In the right pane, click **Enable Log**.
|
In the right pane, click **Enable Log**.
|
||||||
|
|
||||||
2. The DHCP subnet configuration file (if one exists).
|
2. The DHCP subnet configuration file (if one exists).
|
||||||
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
|
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
|
||||||
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address
|
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address
|
||||||
|
|
||||||
## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
|
## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
|
||||||
|
|
||||||
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008.
|
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008.
|
||||||
**Requirements**
|
**Requirements**
|
||||||
|
|
||||||
- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic.
|
- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic.
|
||||||
- Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
|
- Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
|
||||||
|
|
||||||
The following steps can be used to configure Network Unlock on these older systems.
|
The following steps can be used to configure Network Unlock on these older systems.
|
||||||
|
|
||||||
1. [Step One: Install the WDS Server role](#bkmk-stepone)
|
1. [Step One: Install the WDS Server role](#bkmk-stepone)
|
||||||
2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo)
|
2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo)
|
||||||
3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
|
3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
|
||||||
4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
|
4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
|
||||||
5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
|
5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
|
||||||
6. **Step Six: Configure registry settings for Network Unlock**
|
6. **Step Six: Configure registry settings for Network Unlock**
|
||||||
|
|
||||||
Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
|
Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
|
||||||
``` syntax
|
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
|
||||||
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
|
|
||||||
```
|
|
||||||
7. [Create the Network Unlock certificate](#bkmk-stepfour)
|
7. [Create the Network Unlock certificate](#bkmk-stepfour)
|
||||||
8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
|
8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
|
||||||
9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl)
|
9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl)
|
||||||
10. [Require TPM+PIN protectors at startup](#bkmk-stepseven)
|
10. [Require TPM+PIN protectors at startup](#bkmk-stepseven)
|
||||||
|
|
||||||
## See also
|
## See also
|
||||||
|
|
||||||
- [BitLocker overview](bitlocker-overview.md)
|
- [BitLocker overview](bitlocker-overview.md)
|
||||||
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
|
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
|
||||||
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -2,103 +2,78 @@
|
|||||||
title: BitLocker (Windows 10)
|
title: BitLocker (Windows 10)
|
||||||
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
|
description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
|
||||||
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
|
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
# BitLocker
|
# BitLocker
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
|
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
|
||||||
|
|
||||||
## <a href="" id="bkmk-over"></a>
|
## <a href="" id="bkmk-over"></a>
|
||||||
|
|
||||||
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
|
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
|
||||||
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
|
|
||||||
|
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been
|
||||||
|
tampered with while the system was offline.
|
||||||
|
|
||||||
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
|
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
|
||||||
|
|
||||||
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
|
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
|
||||||
|
|
||||||
## <a href="" id="bkmk-app"></a>Practical applications
|
## <a href="" id="bkmk-app"></a>Practical applications
|
||||||
|
|
||||||
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
|
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
|
||||||
|
|
||||||
There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker.
|
There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker.
|
||||||
|
|
||||||
- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
|
- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
|
||||||
By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
|
By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
|
||||||
- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console.
|
|
||||||
|
- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
|
||||||
|
BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console.
|
||||||
|
|
||||||
## <a href="" id="bkmk-new"></a>New and changed functionality
|
## <a href="" id="bkmk-new"></a>New and changed functionality
|
||||||
|
|
||||||
To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)
|
To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)
|
||||||
|
|
||||||
## System requirements
|
## System requirements
|
||||||
|
|
||||||
BitLocker has the following hardware requirements:
|
BitLocker has the following hardware requirements:
|
||||||
|
|
||||||
For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive.
|
For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive.
|
||||||
|
|
||||||
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
|
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
|
||||||
|
|
||||||
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
|
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
|
||||||
|
|
||||||
The hard disk must be partitioned with at least two drives:
|
The hard disk must be partitioned with at least two drives:
|
||||||
|
|
||||||
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
|
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
|
||||||
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
|
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
|
||||||
|
|
||||||
When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
|
When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
|
||||||
|
|
||||||
When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
|
When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
|
||||||
|
|
||||||
## In this section
|
## In this section
|
||||||
<table>
|
|
||||||
<colgroup>
|
| Topic | Description |
|
||||||
<col width="50%" />
|
| - | - |
|
||||||
<col width="50%" />
|
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
|
||||||
</colgroup>
|
| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
|
||||||
<thead>
|
| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
|
||||||
<tr class="header">
|
| [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.|
|
||||||
<th align="left">Topic</th>
|
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. |
|
||||||
<th align="left">Description</th>
|
| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.|
|
||||||
</tr>
|
| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. |
|
||||||
</thead>
|
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.|
|
||||||
<tbody>
|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
|
||||||
<tr class="odd">
|
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
|
||||||
<td align="left"><p>[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)</p></td>
|
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
|
||||||
<td align="left"><p>This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional explains how can you plan your BitLocker deployment.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td align="left"><p>[BitLocker basic deployment](bitlocker-basic-deployment.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td align="left"><p>[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional describes how to use tools to manage BitLocker.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td align="left"><p>[BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td align="left"><p>[BCD settings and BitLocker](bcd-settings-and-bitlocker.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for IT professionals describes the BCD settings that are used by BitLocker.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for IT professionals describes how to recover BitLocker keys from AD DS.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="odd">
|
|
||||||
<td align="left"><p>[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)</p></td>
|
|
||||||
<td align="left"><p>This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.</p></td>
|
|
||||||
</tr>
|
|
||||||
<tr class="even">
|
|
||||||
<td align="left"><p>[Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)</p></td>
|
|
||||||
<td align="left"><p>This topic for IT pros describes how to protect CSVs and SANs with BitLocker.</p></td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -2,33 +2,48 @@
|
|||||||
title: BitLocker recovery guide (Windows 10)
|
title: BitLocker recovery guide (Windows 10)
|
||||||
description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
|
description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
|
||||||
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
|
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# BitLocker recovery guide
|
# BitLocker recovery guide
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
|
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
|
||||||
|
|
||||||
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
|
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
|
||||||
|
|
||||||
This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
|
This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
|
||||||
|
|
||||||
This article does not detail how to configure AD DS to store the BitLocker recovery information.
|
This article does not detail how to configure AD DS to store the BitLocker recovery information.
|
||||||
|
|
||||||
This article contains the following topics:
|
This article contains the following topics:
|
||||||
|
|
||||||
- [What Is BitLocker Recovery?](#bkmk-whatisrecovery)
|
- [What Is BitLocker Recovery?](#bkmk-whatisrecovery)
|
||||||
- [Testing Recovery](#bkmk-testingrecovery)
|
- [Testing Recovery](#bkmk-testingrecovery)
|
||||||
- [Planning Your Recovery Process](#bkmk-planningrecovery)
|
- [Planning Your Recovery Process](#bkmk-planningrecovery)
|
||||||
- [Using Additional Recovery Information](#bkmk-usingaddrecovery)
|
- [Using Additional Recovery Information](#bkmk-usingaddrecovery)
|
||||||
- [Resetting Recovery Passwords](#bkmk-appendixb)
|
- [Resetting Recovery Passwords](#bkmk-appendixb)
|
||||||
- [Retrieving the BitLocker Key Package](#bkmk-appendixc)
|
- [Retrieving the BitLocker Key Package](#bkmk-appendixc)
|
||||||
|
|
||||||
## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
|
## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
|
||||||
|
|
||||||
BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
|
BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive:
|
||||||
|
|
||||||
- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
|
- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
|
||||||
- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
|
- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
|
||||||
- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||||
|
|
||||||
### What causes BitLocker recovery?
|
### What causes BitLocker recovery?
|
||||||
|
|
||||||
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
|
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
|
||||||
|
|
||||||
- On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
|
- On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
|
||||||
- Changing the boot order to boot another drive in advance of the hard drive.
|
- Changing the boot order to boot another drive in advance of the hard drive.
|
||||||
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
|
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
|
||||||
@ -49,8 +64,8 @@ The following list provides examples of specific events that will cause BitLocke
|
|||||||
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
|
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
|
||||||
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
|
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
|
||||||
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
|
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
|
||||||
**Note**
|
|
||||||
Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
|
>**Note:** Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
|
||||||
|
|
||||||
- Moving the BitLocker-protected drive into a new computer.
|
- Moving the BitLocker-protected drive into a new computer.
|
||||||
- Upgrading the motherboard to a new one with a new TPM.
|
- Upgrading the motherboard to a new one with a new TPM.
|
||||||
@ -58,169 +73,249 @@ The following list provides examples of specific events that will cause BitLocke
|
|||||||
- Failing the TPM self-test.
|
- Failing the TPM self-test.
|
||||||
- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
|
- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
|
||||||
- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
|
- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
|
||||||
**Note**
|
|
||||||
The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
|
>**Note:** The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
|
||||||
|
|
||||||
- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
|
- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
|
||||||
- Pressing the F8 or F10 key during the boot process.
|
- Pressing the F8 or F10 key during the boot process.
|
||||||
- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
|
- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
|
||||||
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
|
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
|
||||||
**Note**
|
|
||||||
Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
|
>**Note:** Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
|
||||||
|
|
||||||
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
|
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
|
||||||
**Note**
|
|
||||||
If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
|
>**Note:** If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
|
||||||
|
|
||||||
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.
|
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.
|
||||||
|
|
||||||
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
|
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
|
||||||
|
|
||||||
## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
|
## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
|
||||||
|
|
||||||
Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
|
Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
|
||||||
|
|
||||||
**To force a recovery for the local computer**
|
**To force a recovery for the local computer**
|
||||||
|
|
||||||
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
|
1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
|
||||||
2. At the command prompt, type the following command and then press ENTER:
|
2. At the command prompt, type the following command and then press ENTER:
|
||||||
**manage-bde -forcerecovery** *<Volume>*
|
`manage-bde -forcerecovery <Volume>`
|
||||||
|
|
||||||
**To force recovery for a remote computer**
|
**To force recovery for a remote computer**
|
||||||
|
|
||||||
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
|
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
|
||||||
2. At the command prompt, type the following command and then press ENTER:
|
2. At the command prompt, type the following command and then press ENTER:
|
||||||
**manage-bde. -ComputerName** *<ComputerName>***-forcerecovery** *<Volume>*
|
`manage-bde. -ComputerName <ComputerName> -forcerecovery <Volume>`
|
||||||
**Note**
|
|
||||||
*<ComputerName>* represents the name of the remote computer. *<Volume>* represents the volume on the remote computer that is protected with BitLocker.
|
> **Note:** *ComputerName* represents the name of the remote computer. *Volume* represents the volume on the remote computer that is protected with BitLocker.
|
||||||
|
|
||||||
## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
|
## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
|
||||||
|
|
||||||
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
|
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
|
||||||
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx).
|
|
||||||
|
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker
|
||||||
|
Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx).
|
||||||
|
|
||||||
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
|
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
|
||||||
|
|
||||||
When you determine your recovery process, you should:
|
When you determine your recovery process, you should:
|
||||||
|
|
||||||
- Become familiar with how you can retrieve the recovery password. See:
|
- Become familiar with how you can retrieve the recovery password. See:
|
||||||
|
|
||||||
- [Self-recovery](#bkmk-selfrecovery)
|
- [Self-recovery](#bkmk-selfrecovery)
|
||||||
- [Recovery password retrieval](#bkmk-recoveryretrieval)
|
- [Recovery password retrieval](#bkmk-recoveryretrieval)
|
||||||
|
|
||||||
- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
|
- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
|
||||||
|
|
||||||
- [Post-recovery analysis](#bkmk-planningpostrecovery)
|
- [Post-recovery analysis](#bkmk-planningpostrecovery)
|
||||||
|
|
||||||
### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
|
### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
|
||||||
|
|
||||||
In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
|
In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
|
||||||
|
|
||||||
### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
|
### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
|
||||||
|
|
||||||
If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
|
If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
|
||||||
|
|
||||||
- **Choose how BitLocker-protected operating system drives can be recovered**
|
- **Choose how BitLocker-protected operating system drives can be recovered**
|
||||||
- **Choose how BitLocker-protected fixed drives can be recovered**
|
- **Choose how BitLocker-protected fixed drives can be recovered**
|
||||||
- **Choose how BitLocker-protected removable drives can be recovered**
|
- **Choose how BitLocker-protected removable drives can be recovered**
|
||||||
In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
|
In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD
|
||||||
**Note**
|
DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
|
||||||
If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
|
|
||||||
|
>**Note:** If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
|
||||||
|
|
||||||
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
|
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
|
||||||
|
|
||||||
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
|
You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
|
||||||
|
|
||||||
- [Record the name of the user's computer](#bkmk-recordcomputername)
|
- [Record the name of the user's computer](#bkmk-recordcomputername)
|
||||||
- [Verify the user's identity](#bkmk-verifyidentity)
|
- [Verify the user's identity](#bkmk-verifyidentity)
|
||||||
- [Locate the recovery password in AD DS](#bkmk-locatepassword)
|
- [Locate the recovery password in AD DS](#bkmk-locatepassword)
|
||||||
- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
|
- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
|
||||||
- [Give the user the recovery password](#bkmk-givepassword)
|
- [Give the user the recovery password](#bkmk-givepassword)
|
||||||
|
|
||||||
### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
|
### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
|
||||||
|
|
||||||
You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
|
You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
|
||||||
|
|
||||||
### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
|
### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
|
||||||
|
|
||||||
You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
|
You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
|
||||||
|
|
||||||
### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
|
### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
|
||||||
|
|
||||||
Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
|
Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
|
||||||
|
|
||||||
### Multiple recovery passwords
|
### Multiple recovery passwords
|
||||||
|
|
||||||
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.
|
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.
|
||||||
|
|
||||||
If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
|
If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
|
||||||
|
|
||||||
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.
|
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.
|
||||||
|
|
||||||
### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
|
### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
|
||||||
|
|
||||||
Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
|
Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
|
||||||
|
|
||||||
### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
|
### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
|
||||||
|
|
||||||
Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
|
Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
|
||||||
**Note**
|
|
||||||
Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
|
>**Note:** Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
|
||||||
|
|
||||||
### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
|
### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
|
||||||
When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
|
|
||||||
|
When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
|
||||||
|
when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
|
||||||
|
|
||||||
If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
|
If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
|
||||||
|
|
||||||
- [Determine the root cause of the recovery](#bkmk-determinecause)
|
- [Determine the root cause of the recovery](#bkmk-determinecause)
|
||||||
- [Refresh BitLocker protection](#bkmk-refreshprotection)
|
- [Refresh BitLocker protection](#bkmk-refreshprotection)
|
||||||
|
|
||||||
### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
|
### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
|
||||||
|
|
||||||
If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
|
If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
|
||||||
|
|
||||||
While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
|
While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
|
||||||
|
|
||||||
Review and answer the following questions for your organization:
|
Review and answer the following questions for your organization:
|
||||||
|
|
||||||
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
|
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
|
||||||
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
|
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
|
||||||
3. If TPM mode was in effect, was recovery caused by a boot file change?
|
3. If TPM mode was in effect, was recovery caused by a boot file change?
|
||||||
4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
|
4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
|
||||||
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
|
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
|
||||||
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
|
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
|
||||||
|
|
||||||
To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
|
To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
|
||||||
|
|
||||||
### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
|
### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
|
||||||
|
|
||||||
After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
|
After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
|
||||||
|
|
||||||
The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
|
The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
|
||||||
**Note**
|
|
||||||
You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
|
>**Note:** You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
|
||||||
|
|
||||||
- [Unknown PIN](#bkmk-unknownpin)
|
- [Unknown PIN](#bkmk-unknownpin)
|
||||||
- [Lost startup key](#bkmk-loststartup)
|
- [Lost startup key](#bkmk-loststartup)
|
||||||
- [Changes to boot files](#bkmk-changebootknown)
|
- [Changes to boot files](#bkmk-changebootknown)
|
||||||
### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
|
### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
|
||||||
|
|
||||||
If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
|
If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
|
||||||
|
|
||||||
**To prevent continued recovery due to an unknown PIN**
|
**To prevent continued recovery due to an unknown PIN**
|
||||||
|
|
||||||
1. Unlock the computer using the recovery password.
|
1. Unlock the computer using the recovery password.
|
||||||
2. Reset the PIN:
|
2. Reset the PIN:
|
||||||
1.
|
1. Right-click the drive and then click **Change PIN**
|
||||||
2. Right-click the drive and then click **Change PIN**
|
2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
|
||||||
3. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
|
3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
|
||||||
4. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
|
|
||||||
3. You will use the new PIN the next time you unlock the drive.
|
3. You will use the new PIN the next time you unlock the drive.
|
||||||
|
|
||||||
### <a href="" id="bkmk-loststartup"></a>Lost startup key
|
### <a href="" id="bkmk-loststartup"></a>Lost startup key
|
||||||
|
|
||||||
If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.
|
If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.
|
||||||
|
|
||||||
**To prevent continued recovery due to a lost startup key**
|
**To prevent continued recovery due to a lost startup key**
|
||||||
|
|
||||||
1. Log on as an administrator to the computer that has the lost startup key.
|
1. Log on as an administrator to the computer that has the lost startup key.
|
||||||
2. Open Manage BitLocker.
|
2. Open Manage BitLocker.
|
||||||
3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
|
3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
|
||||||
|
|
||||||
### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
|
### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
|
||||||
|
|
||||||
This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
|
This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
|
||||||
|
|
||||||
## Windows RE and BitLocker
|
## Windows RE and BitLocker
|
||||||
|
|
||||||
Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
|
Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
|
||||||
|
|
||||||
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
|
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
|
||||||
|
|
||||||
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
|
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
|
||||||
|
|
||||||
### BitLocker key package
|
### BitLocker key package
|
||||||
|
|
||||||
If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
|
If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
|
||||||
**Note**
|
|
||||||
You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
|
>**Note:** You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
|
||||||
|
|
||||||
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
|
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
|
||||||
|
|
||||||
## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
|
## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
|
||||||
|
|
||||||
You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
|
You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
|
||||||
|
|
||||||
You can reset the recovery password in two ways:
|
You can reset the recovery password in two ways:
|
||||||
|
|
||||||
- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
|
- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
|
||||||
- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
|
- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
|
||||||
|
|
||||||
**To reset a recovery password using manage-bde**
|
**To reset a recovery password using manage-bde**
|
||||||
|
|
||||||
1. Remove the previous recovery password
|
1. Remove the previous recovery password
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Manage-bde –protectors –delete C: –type RecoveryPassword
|
Manage-bde –protectors –delete C: –type RecoveryPassword
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Add the new recovery password
|
2. Add the new recovery password
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Manage-bde –protectors –add C: -RecoveryPassword
|
Manage-bde –protectors –add C: -RecoveryPassword
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
|
3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Manage-bde –protectors –get C: -Type RecoveryPassword
|
Manage-bde –protectors –get C: -Type RecoveryPassword
|
||||||
|
|
||||||
```
|
```
|
||||||
4. Backup the new recovery password to AD DS
|
4. Backup the new recovery password to AD DS
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
|
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
|
||||||
```
|
```
|
||||||
**Warning**
|
>**Warning:** You must include the braces in the ID string.
|
||||||
You must include the braces in the ID string.
|
|
||||||
|
|
||||||
**To run the sample recovery password script**
|
**To run the sample recovery password script**
|
||||||
|
|
||||||
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
|
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
|
||||||
2. At the command prompt, type a command similar to the following:
|
2. At the command prompt, type a command similar to the following:
|
||||||
|
|
||||||
**cscript ResetPassword.vbs**
|
**cscript ResetPassword.vbs**
|
||||||
**Important**
|
|
||||||
This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
|
>**Important:** This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
|
||||||
|
|
||||||
**Note**
|
> **Note:** To manage a remote computer, you can specify the remote computer name rather than the local computer name.
|
||||||
To manage a remote computer, you can specify the remote computer name rather than the local computer name.
|
|
||||||
|
|
||||||
You can use the following sample script to create a VBScript file to reset the recovery passwords.
|
You can use the following sample script to create a VBScript file to reset the recovery passwords.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
' Target drive letter
|
' Target drive letter
|
||||||
strDriveLetter = "c:"
|
strDriveLetter = "c:"
|
||||||
@ -291,16 +386,25 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re
|
|||||||
'WScript.Echo ""
|
'WScript.Echo ""
|
||||||
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
|
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
|
||||||
```
|
```
|
||||||
|
|
||||||
## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
|
## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
|
||||||
|
|
||||||
You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
|
You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
|
||||||
|
|
||||||
- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
|
- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
|
||||||
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
|
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
|
||||||
|
|
||||||
The following sample script exports all previously-saved key packages from AD DS.
|
The following sample script exports all previously-saved key packages from AD DS.
|
||||||
|
|
||||||
**To run the sample key package retrieval script**
|
**To run the sample key package retrieval script**
|
||||||
|
|
||||||
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
|
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
|
||||||
2. At the command prompt, type a command similar to the following:
|
2. At the command prompt, type a command similar to the following:
|
||||||
|
|
||||||
**cscript GetBitLockerKeyPackageADDS.vbs -?**
|
**cscript GetBitLockerKeyPackageADDS.vbs -?**
|
||||||
|
|
||||||
You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.
|
You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS.
|
||||||
|
|
||||||
``` syntax
|
``` syntax
|
||||||
' --------------------------------------------------------------------------------
|
' --------------------------------------------------------------------------------
|
||||||
' Usage
|
' Usage
|
||||||
@ -615,7 +719,9 @@ Function BinaryToString(Binary)
|
|||||||
BinaryToString = S
|
BinaryToString = S
|
||||||
End Function
|
End Function
|
||||||
```
|
```
|
||||||
|
|
||||||
## See also
|
## See also
|
||||||
|
|
||||||
- [BitLocker overview](bitlocker-overview.md)
|
- [BitLocker overview](bitlocker-overview.md)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user