mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 10:53:43 +00:00
fixed broken links
This commit is contained in:
Paolo Matarazzo
@ -43,7 +43,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid
|
||||
|
||||
### Pre-boot authentication
|
||||
|
||||
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
|
||||
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The policy setting is [Require additional authentication at startup](policy-settings.md).
|
||||
|
||||
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
|
||||
|
||||
@ -83,11 +83,7 @@ If kernel DMA protection isn't enabled, follow these steps to protect Thunderbol
|
||||
|
||||
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
|
||||
|
||||
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
|
||||
|
||||
- MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
|
||||
|
||||
- Group Policy: [Disable new DMA devices when this computer is locked](bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
|
||||
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): [Disable new DMA devices when this computer is locked](policy-settings.md)
|
||||
|
||||
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
|
||||
|
||||
@ -161,7 +157,7 @@ Mitigation:
|
||||
> [!IMPORTANT]
|
||||
> These settings are **not configured** by default.
|
||||
|
||||
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](bitlocker-group-policy-settings.md) is:
|
||||
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](policy-settings.md) is:
|
||||
|
||||
- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
|
||||
|
||||
@ -169,10 +165,3 @@ For some systems, bypassing TPM-only may require opening the case, and may requi
|
||||
> This setting is **not configured** by default.
|
||||
|
||||
For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
|
||||
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
|
||||
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
|
||||
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
|
||||
|
||||
@ -15,7 +15,7 @@ Though much Windows [BitLocker documentation](index.md) has been published, cust
|
||||
|
||||
## Managing domain-joined computers and moving to cloud
|
||||
|
||||
Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
|
||||
Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
|
||||
|
||||
@ -92,7 +92,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
|
||||
- [BitLocker: FAQs](faq.yml)
|
||||
- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
|
||||
- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
|
||||
- [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
|
||||
- [BitLocker policy settings](policy-settings.md)
|
||||
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
|
||||
*(Overview)*
|
||||
- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
|
||||
|
||||
@ -26,7 +26,7 @@ BitLocker recovery is the process by which access can be restored to a BitLocker
|
||||
|
||||
- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
|
||||
|
||||
- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
### What causes BitLocker recovery?
|
||||
|
||||
|
||||
@ -123,7 +123,7 @@ sections:
|
||||
|
||||
- question: How can I prevent users on a network from storing data on an unencrypted drive?
|
||||
answer: |
|
||||
Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker policy settings](policy-settings.md).
|
||||
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
|
||||
|
||||
- question: What is Used Disk Space Only encryption?
|
||||
@ -203,7 +203,7 @@ sections:
|
||||
- question: When should an additional method of authentication be considered?
|
||||
answer: |
|
||||
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack.
|
||||
For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
|
||||
For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](policy-settings.md) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
|
||||
|
||||
- question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
|
||||
answer: |
|
||||
@ -264,7 +264,7 @@ sections:
|
||||
answer: |
|
||||
Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
|
||||
|
||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
For more info, see [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
- name: BitLocker To Go
|
||||
questions:
|
||||
@ -297,7 +297,7 @@ sections:
|
||||
answer: |
|
||||
If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
|
||||
|
||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
For more info, see [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
|
||||
|
||||
@ -331,7 +331,7 @@ sections:
|
||||
|
||||
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
|
||||
|
||||
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
|
||||
For more info, see [BitLocker policy settings](policy-settings.md).
|
||||
|
||||
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
|
||||
|
||||
@ -350,7 +350,7 @@ sections:
|
||||
- question: |
|
||||
What are the implications of using the sleep or hibernate power management options?
|
||||
answer: |
|
||||
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
|
||||
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using a [policy setting](policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
|
||||
|
||||
- question: |
|
||||
What are the advantages of a TPM?
|
||||
|
||||
@ -187,5 +187,5 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate
|
||||
|
||||
- [BitLocker frequently asked questions (FAQ)](faq.yml)
|
||||
- [BitLocker](index.md)
|
||||
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
|
||||
- [BitLocker policy settings](policy-settings.md)
|
||||
- [BitLocker basic deployment](bitlocker-basic-deployment.md)
|
||||
|
||||
@ -68,13 +68,13 @@ Configuration of encrypted hard drives as startup drives is done using the same
|
||||
- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
|
||||
- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
|
||||
|
||||
## Configuring hardware-based encryption with group policy
|
||||
## Configuring hardware-based encryption with policy settings
|
||||
|
||||
There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
|
||||
There are three related policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
|
||||
|
||||
- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
|
||||
- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
|
||||
- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
|
||||
- [Configure use of hardware-based encryption for fixed data drives](bitlocker/policy-settings.md#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
|
||||
- [Configure use of hardware-based encryption for removable data drives](bitlocker/policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
|
||||
- [Configure use of hardware-based encryption for operating system drives](bitlocker/policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
|
||||
|
||||
## Encrypted hard drive architecture
|
||||
|
||||
|
||||
Reference in New Issue
Block a user