deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

faq converted into yml

Browse Source
This commit is contained in:
v-hearya
2021-04-27 06:04:01 +05:30
parent 7238aff6a7
commit e81d9a5a8b
40 changed files with 1251 additions and 986 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -1,48 +0,0 @@
---
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ) resources
**Applies to**
- Windows 10
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.yml)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- [Security](bitlocker-security-faq.md)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md)
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)

53
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml Normal file
View File

@ -0,0 +1,53 @@
### YamlMime:FAQ
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to**
- Windows 10
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.yml)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.yml)
- [BitLocker To Go](bitlocker-to-go-faq.yml)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- [Security](bitlocker-security-faq.yml)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
sections:
- name: Ignored
questions:
- question: |
More information
answer: |
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)

2
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -1341,6 +1341,6 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker overview](bitlocker-overview.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

2
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -106,6 +106,6 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## More information
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

2
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -387,5 +387,5 @@ Follow these steps to configure Network Unlock on these older systems.
## See also
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

124
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
View File

@ -1,124 +0,0 @@
---
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Key Management FAQ
**Applies to**
- Windows 10
## How can I authenticate or unlock my removable data drive?
You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
<code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
## How can the recovery password and recovery key be stored?
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
<code>manage-bde protectors delete %systemdrive% -type tpm</code>
<code>manage-bde protectors add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
## When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
## If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
## Can I save the startup key on multiple USB flash drives?
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
## Can I save multiple (different) startup keys on the same USB flash drive?
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
## Can I generate multiple (different) startup keys for the same computer?
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
## Can I generate multiple PIN combinations?
You cannot generate multiple PIN combinations.
## What encryption keys are used in BitLocker? How do they work together?
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
## Where are the encryption keys stored?
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
## Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
## How can I determine the manufacturer of my TPM?
You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
## How can I evaluate a TPM's dictionary attack mitigation mechanism?
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
## Can PIN length and complexity be managed with Group Policy?
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

121
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml Normal file
View File

@ -0,0 +1,121 @@
### YamlMime:FAQ
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: How can I authenticate or unlock my removable data drive?
answer: |
You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
<code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
- question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
answer: |
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
- question: How can the recovery password and recovery key be stored?
answer: |
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
- question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
answer: |
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
<code>manage-bde protectors delete %systemdrive% -type tpm</code>
<code>manage-bde protectors add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
- question: When should an additional method of authentication be considered?
answer: |
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
- question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
answer: |
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
- question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
- question: Can I save the startup key on multiple USB flash drives?
answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
- question: Can I save multiple (different) startup keys on the same USB flash drive?
answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
- question: Can I generate multiple (different) startup keys for the same computer?
answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
- question: Can I generate multiple PIN combinations?
answer: You cannot generate multiple PIN combinations.
- question: What encryption keys are used in BitLocker? How do they work together?
answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
- question: Where are the encryption keys stored?
answer: |
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
- question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
answer: |
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
- question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
answer: |
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
- question: How can I determine the manufacturer of my TPM?
answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
- question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
answer: |
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
- question: Can PIN length and complexity be managed with Group Policy?
answer: |
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -101,7 +101,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
## Related Articles
[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)

36
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
View File

@ -1,36 +0,0 @@
---
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
---
# BitLocker Network Unlock FAQ
**Applies to**
- Windows 10
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

40
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml Normal file
View File

@ -0,0 +1,40 @@
### YamlMime:FAQ
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
BitLocker Network Unlock FAQ
answer: |
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server you will also need
| Topic | Description |
| - | - |
| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. |
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.|

44
windows/security/information-protection/bitlocker/bitlocker-security-faq.md
View File

@ -1,44 +0,0 @@
---
title: BitLocker Security FAQ (Windows 10)
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Security FAQ
**Applies to**
- Windows 10
## What form of encryption does BitLocker use? Is it configurable?
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
## What is the best practice for using BitLocker on an operating system drive?
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
## What are the implications of using the sleep or hibernate power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
## What are the advantages of a TPM?
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

53
windows/security/information-protection/bitlocker/bitlocker-security-faq.yml Normal file
View File

@ -0,0 +1,53 @@
### YamlMime:FAQ
metadata:
title: BitLocker Security FAQ (Windows 10)
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
What form of encryption does BitLocker use? Is it configurable?
answer: |
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
- question: |
What is the best practice for using BitLocker on an operating system drive?
answer: |
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
- question: |
What are the implications of using the sleep or hibernate power management options?
answer: |
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
- question: |
What are the advantages of a TPM?
answer: |
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

48
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
View File

@ -1,48 +0,0 @@
---
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
---
# BitLocker Upgrading FAQ
**Applies to**
- Windows 10
## Can I upgrade to Windows 10 with BitLocker enabled?
Yes.
## What is the difference between suspending and decrypting BitLocker?
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
## Do I have to suspend BitLocker protection to download and install system updates and upgrades?
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users dont have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they dont want to suspend BitLocker protection.
- Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
- You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

55
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml Normal file
View File

@ -0,0 +1,55 @@
### YamlMime:FAQ
metadata:
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
Can I upgrade to Windows 10 with BitLocker enabled?
answer: |
Yes.
- question: |
What is the difference between suspending and decrypting BitLocker?
answer: |
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
- question: |
Do I have to suspend BitLocker protection to download and install system updates and upgrades?
answer: |
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users dont have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they dont want to suspend BitLocker protection.
- Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
- You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -332,7 +332,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
## More information
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -58,7 +58,7 @@ By completing the procedures in this scenario, you have viewed and copied the re
## More information
- [BitLocker Overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

124
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml Normal file
View File

@ -0,0 +1,124 @@
### YamlMime:FAQ
metadata:
title: Using BitLocker with other programs FAQ (Windows 10)
description: Learn how to integrate BitLocker with other software on your device.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
Can I use EFS with BitLocker?
answer: |
Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
- question: |
Can I run a kernel debugger with BitLocker?
answer: |
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
- question: |
How does BitLocker handle memory dumps?
answer: |
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
- question: |
Can BitLocker support smart cards for pre-boot authentication?
answer: |
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
- question: |
Can I use a non-Microsoft TPM driver?
answer: |
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
- question: |
Can other tools that manage or modify the master boot record work with BitLocker?
answer: |
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
- question: |
Why is the system check failing when I am encrypting my operating system drive?
answer: |
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
- There are multiple USB flash drives inserted into the computer.
- The PIN was not entered correctly.
- The computer's BIOS or UEFI firmware only supports using the function keys (F1F10) to enter numerals in the pre-boot environment.
- The startup key was removed before the computer finished rebooting.
- The TPM has malfunctioned and fails to unseal the keys.
- question: |
What can I do if the recovery key on my USB flash drive cannot be read?
answer: |
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
- question: |
Why am I unable to save my recovery key to my USB flash drive?
answer: |
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
- question: |
Why am I unable to automatically unlock my drive?
answer: |
Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
- question: |
Can I use BitLocker in Safe Mode?
answer: |
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
- question: |
How do I "lock" a data drive?
answer: |
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the lock command.
> [!NOTE]
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
The syntax of this command is:
<code>manage-bde <i>driveletter</i> -lock</code>
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
- question: |
Can I use BitLocker with the Volume Shadow Copy Service?
answer: |
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
- question: |
Does BitLocker support virtual hard disks (VHDs)?
answer: |
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM: Yes, it is supported.
- Without TPM: Yes, it is supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
- question: |
Can I use BitLocker with virtual machines (VMs)?
answer: |
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.

2
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -196,7 +196,7 @@ However, you cannot use recovery passwords generated on a system in FIPS mode fo
- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker](bitlocker-overview.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker basic deployment](bitlocker-basic-deployment.md)