diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md index 78c2a8e0a0..dc5d51a31d 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md @@ -11,15 +11,15 @@ Windows uses hardware solutions and security features that protect BitLocker enc ## Protection before startup -Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. These features ensure that the device hasn't been tampered with while the system was offline: +Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot: -- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system was offline. For more information about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) +- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - *Unified Extensible Firmware Interface (UEFI)* is a programmable boot environment that initializes devices and starts the operating system's bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md) - *Secure Boot* blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key ### BitLocker and reset attacks -To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. +To defend against malicious reset attacks, BitLocker uses the *TCG Reset Attack Mitigation*, also known as *MOR bit* (Memory Overwrite Request), before extracting keys into memory. ## Security policies diff --git a/windows/security/operating-system-security/data-protection/bitlocker/device-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/device-encryption.md index 19a36e0ace..56830979b7 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/device-encryption.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/device-encryption.md @@ -1,60 +1,46 @@ --- -title: Device Encryption -description: Learn how Device Encryption works for devices that support it. +title: Device encryption +description: Learn how device encryption works for devices that support it. ms.topic: overview -ms.date: 10/06/2023 +ms.date: 10/09/2023 --- -# Device Encryption +# Device encryption -Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. +*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, including Home edition, but requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access. -Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically: +> [!IMPORTANT] +> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives -- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. +Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up. -- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials. +- If the device is Microsoft Entra joined or Active Directory domain joined, the clear key is removed once the the recovery key is successfully backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS). The following policy settings must be enabled for the recovery key to be backed up: [Choose how BitLocker-protected operating system drives can be recovered](policy-settings.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) + - For Microsoft Entra joined devices: the recovery password is created automatically when the user authenticates to Microsoft Entra ID, then the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed + - For AD DS joined devices: the recovery password is created automatically when the computer joins the domain. The recovery key is then backed up to AD DS, the TPM protector is created, and the clear key is removed +- If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials +- If a device uses only local accounts, then it remains unprotected even though the data is encrypted -- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS: +If a device doesn't initially qualify for device encryption, but then a change is made that causes the device to qualify (for example, turn *Secure Boot* on), device encryption enables BitLocker automatically as soon as it detects it (unless device encryption is disabled). - *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** - - With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. +You can check whether a device meets requirements for device encryption in the System Information app (msinfo32.exe). If the device meets the requirements, System Information shows a device encryption Support line that reads: **Meets prerequisites**. -- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. +## Difference between BitLocker and device encryption -Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting: +- Device encryption turns BitLocker on automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account +- Device encryption adds a device encryption setting in the Settings app, which can be used to turn device encryption on or off + - The Settings UI will not show device encryption enabled until encryption is complete + > [!NOTE] + > If device encryption is turned off, it will no longer automatically enable itself in the future. The user must enable it manually in Settings -- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker` -- **Type**: `REG_DWORD` -- **Value**: `PreventDeviceEncryption` equal to `1` (True) +:::image type="content" source="images/settings-device-encryption.png" alt-text="Screenshot of the Settings app showing the device encryption panel." border="False""::: + +## Disable device encryption + +It's recommended to keep device encryption on for any systems that support it. However, you can prevent the automatic device encryption process by changing the following registry setting: + +| Path|Name|Type|Value| +|-|-|-|-| +| `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`| `PreventDeviceEncryption`|REG_DWORD|0x1| > [!NOTE] -> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. - -*Device Encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device Encryption is available on all Windows versions, including Home edition, but requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access. - -Device Encryption encrypts the data on a device immediately, but doesn't enable protection until the key is safely backed up to the user's Microsoft account. The encrypted device is left in a *clear key* state, where the encryption key is stored in plain text on the volume to allow free access to the data. Even though the data is encrypted, the device is completely unprotected in this state. In this *clear key* state, `manage-bde.exe` will show data as encrypted, but **Protection Off**, and no protectors yet added. Device encription-capable devices are in this state if no Microsoft account user signs in as an administrator of the device. Connecting to a Microsoft account and the internet causes the recovery key to back up, protector to be added (using the device's TPM), and protection to be enabled. - -Difference between BitLocker and Device Encryption (DE): - -- Device Encryption turn BitLocker on automatically on Device Encryption-qualifying devices, with the recovery key automatically backed up to the user's Microsoft account -- Device Encryption adds a Device Encryption setting in the Settings app - -Device Encryption facts: - -- Device Encryption enables BitLocker automatically once a Microsoft Account is signed in to the device and the recovery key gets successfully backed up to the user's account - - On Windows Home edition, Device Encryption enables BitLocker with limited management capabilities (via the BitLocker Control Panel applet only) - - On other Windows versions where *full* BitLocker is present, Device Encryption's effect is to turn BitLocker on automatically instead of waiting for manual activation - -- If a device uses only local accounts, then it remains unprotected even though the data is encrypted -- Device Encryption has a UI in the Settings app to turn it on/off -- If Device Encryption is turned off, it will no longer automatically enable itself in the future. The user must enable it manually in Settings -- If a device doesn't initially qualify for Device Encryption, but then a change is made that causes the device to qualify (for example, turn Secure Boot on), Device Encryption will enable BitLocker automatically as soon as it detects it (if Device Encryption wasn't previously turned off) -- Device Encryption is enabled as soon as the device completes OOBE, but the work to encrypt all existing data waits for both AC power and idle time to start the actual encryption, therefore full protection may not be complete immediately. In most cases, encryption takes only minutes to complete - -- The Settings UI will not show Device Encryption enabled until encryption is complete -- manage-bde.exe is available and has all capabilities on all versions of Windows -- Device Encryption encrypts only fixed drives, will not encrypt external/USB drives - -You can check whether a device meets requirements for Device Encryption in the System Information app (msinfo32.exe). (see below for more) +> Device encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device is decrypted, you can apply different BitLocker settings. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png b/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png new file mode 100644 index 0000000000..52a594efb7 Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png differ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md index e8ea6b3061..866dcdaba2 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md @@ -11,7 +11,7 @@ This policy setting is used to determine which certificate to use with BitLocker BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default OID is `1.3.6.1.4.1.311.67.1.1`. -If you enable this policy setting, the object identifier specified in the **Object identifier** field must match the object identifier in the smart card certificate. If you disable or do not configure this policy setting, the default OID is used. +If you enable this policy setting, the object identifier specified in the **Object identifier** field must match the object identifier in the smart card certificate. If you disable or don't configure this policy setting, the default OID is used. > [!NOTE] > BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 1df63e050c..e0e38859de 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -14,13 +14,13 @@ BitLocker is a Windows security feature that provides encryption for entire volu ## Practical applications -Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the devices's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections,rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled. +Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the devices's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled. ## BitLocker and TPM BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a common hardware component installed on Windows devices, and it works with BitLocker to ensure that a device hasn't been tampered with while the system is offline. -On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. However, this implementation requires the user to insert a USB key to start the device or when resuming from hibernation. A password can also be used to protect the OS volume on a device without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. However, this implementation requires the user to insert a USB key to start the device, or when resuming from hibernation. A password can also be used to protect the OS volume on a device without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker has the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB drive) that contains a *startup key*. These security measures provide multifactor authentication and assurance that the device can't start or resume from hibernation until the correct PIN or startup key is presented. @@ -57,12 +57,12 @@ BitLocker has the following requirements: *Device Encryption* is a security feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device Encryption requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements, and have no externally accessible ports that allow DMA access. -To learn more about Device Encryption, see the [Device Encryption](device-encryption.md). +To learn more about Device Encryption, review the [Device Encryption](device-encryption.md) documentation. [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] > [!NOTE] -> Licensing requirements for BitLocker enablement are different from the licensing requirements for BitLocker management. To learn more, see [Configure BitLocker](configure.md). +> Licensing requirements for BitLocker enablement are different from the licensing requirements for BitLocker *management*. To learn more, review the how-to guide: [configure BitLocker](configure.md). ## Next steps diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md index fd86252c71..3ef90f8981 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md @@ -1,11 +1,11 @@ --- -title: BitLocker - How to enable Network Unlock +title: Network Unlock description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.topic: how-to ms.date: 11/08/2022 --- -# BitLocker: How to enable Network Unlock +# Network Unlock This article describes how BitLocker Network Unlock works and how to configure it. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md index 60b3a32488..623dd02dc0 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md @@ -33,7 +33,7 @@ An effective implementation of information protection, like most security contro It's crucial that organizations protect information on their devices regardless of the state of the device or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. -The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). +The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker countermeasures](countermeasures.md). ### BitLocker key protectors @@ -79,13 +79,13 @@ The protection differences provided by multifactor authentication methods can't ## Manage passwords and PINs -When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. +When BitLocker is enabled on a system drive and the device has a TPM, users can be required to enter a PIN before BitLocker unlocks the drive. Such a PIN requirement can prevent an attacker who has physical access to a device from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files. -Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs, especially if you require to change the PIN regularly. -In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. +In addition, Modern Standby devices don't require a PIN for startup: they're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. -For more information about how startup security works and the countermeasures that Windows provides, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md). +For more information about how startup security works and the countermeasures that Windows provides, see [Preboot authentication](countermeasures.md#preboot-authentication). ## TPM hardware configurations @@ -109,8 +109,8 @@ Devices without a TPM can still be protected by drive encryption using a startup Use the following questions to identify issues that might affect the deployment in a non-TPM configuration: -- Is there a budget for USB flash drives for each of these computers? -- Do existing non-TPM devices support USB devices at boot time? +- Is there a budget for USB flash drives for each of these devices? +- Do existing non-TPM devices support USB drives at boot time? Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. @@ -129,21 +129,19 @@ Windows RE can also be used from boot media other than the local hard disk. If W ## BitLocker provisioning -BitLocker can be provisioned before the operating system is installed. Preprovisioning requires a TPM. +Administrators can enable BitLocker before to operating system deployment from the *Windows Pre-installation Environment* (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, then this step takes only a few seconds, and can be incorporated into existing deployment processes. Preprovisioning requires a TPM. To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker Control Panel applet or Windows Explorer. The **Waiting For Activation** status means that the drive was preprovisioned for BitLocker, and there's only a clear protector used to encrypt the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the Control Panel options, PowerShell cmdlets, the `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. The volume status then will be updated. When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status. -Administrators can enable BitLocker before to operating system deployment from the Windows Pre-installation Environment (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, then this step takes only a few seconds, and can be incorporated into existing deployment processes. - ## *Used Disk Space Only* encryption The BitLocker Setup wizard provides administrators the ability to choose the *Used Disk Space Only* or *Full* encryption method when enabling BitLocker for a volume. Administrators can use BitLocker policy settings to enforce either Used Disk Space Only or Full disk encryption. Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select **Used Disk Space Only** or **Full** drive encryption. -With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new devices and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -167,7 +165,7 @@ The following recovery data is saved for each computer object: ## FIPS support for recovery password protector -Devices configured to operate in FIPS mode can create FIPS-compliant recovery password protectors, which use the FIPS-140 NIST SP800-132 algorithm. +Devices configured to operate in FIPS mode can create FIPS-compliant recovery password protectors, which use the *FIPS-140 NIST SP800-132* algorithm. > [!NOTE] > The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. @@ -177,18 +175,15 @@ Devices configured to operate in FIPS mode can create FIPS-compliant recovery pa ## Network Unlock -Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. +Some organizations have location-specific data security requirements, especially in environments with high-value data. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those devices shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the device is connected to the corporate network is necessary. -Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). -Network Unlock requires the following infrastructure: +*Network Unlock* enables BitLocker-protected devices to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the device isn't connected to the corporate network, a user must enter a PIN to unlock the drive (if PIN-based unlock is enabled). Network Unlock requires the following infrastructure: -- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) +- Client devices that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) +- A Windows Server running the Windows deployment services (WDS) role +- A DHCP server -- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role - -- A server with the DHCP server role installed - -For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](network-unlock.md). +For more information about how to configure Network unlock feature, see [Network Unlock](network-unlock.md). ## BitLocker administration and monitoring