deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

reverting changes

Browse Source
This commit is contained in:
Brian Lich
2017-01-25 14:27:06 -08:00
parent afd1d928c2
commit ecd000f39a
239 changed files with 2464 additions and 7524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/keep-secure/bitlocker-countermeasures.md
View File

@ -23,9 +23,9 @@ The sections that follow provide more detailed information about the different t
### Protection before startup
Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM.
#### Trusted Platform Module
**Trusted Platform Module**
Software alone isnt sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
@ -33,7 +33,7 @@ A TPM is a microchip designed to provide basic security-related functions, prima
By binding the BitLocker encryption key with the TPM and properly configuring the device, its nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized users credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
#### UEFI and Secure Boot
**UEFI and Secure Boot**
No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solutions encryption keys.
@ -53,7 +53,7 @@ Using the digital signature, UEFI verifies that the bootloader was signed using
If the bootloader passes these two tests, UEFI knows that the bootloader isnt a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files havent been changed.
Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
All Windows 8certified devices must meet several requirements related to UEFI-based Secure Boot:
- They must have Secure Boot enabled by default.
- They must trust Microsofts certificate (and thus any bootloader Microsoft has signed).