Exportar (0) Imprimir
Expandir todo

What's New in BitLocker for Windows 8.1 and Windows Server 2012 R2

Publicada: junio de 2013

Actualizado: enero de 2014

Se aplica a: Windows 8.1, Windows Server 2012 R2

The following is new functionality in BitLocker for Windows 8.1 and Windows Server 2012 R2:

  • Support for device encryption

    BitLocker is providing support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.

For details about the features introduced with Windows 8 and Windows Server 2012, see Novedades de BitLocker.

Device encryption helps protect data on your Windows PC. It helps block malicious users from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would. Device encryption protects the operating system drive and any fixed data drives on the system using AES 128-bit encryption. Device encryption can be used with either a Microsoft Account or a domain account. To support device encryption, the system must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems. The pre-requisites are listed in the following sections:

  • System.Fundamentals.Security.DeviceEncryption - General device encryption requirements.

  • System.Fundamentals – Connected standby systems requirements.

  • System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby- Requirements for TPM 2.0 and Secure Boot for connect standby systems.

Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines the way this is accomplished:

  • When a clean install of Windows 8.1 is completed the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).

  • If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key using their Microsoft Account credentials.

  • If the user signs in using a domain account, the clear key is not removed until the user joins the device to a domain (on x86/x64 platforms) and the recovery key is successfully backed up to Active Directory Domain Services. The Group Policy setting Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives must be enabled and the option Do not enable BitLocker until recovery information is stored in AD DS for operating system drives should be selected. With this configuration the recovery password will be automatically created when the computer joins the domain, then the recovery key will be backed up to AD DS, the TPM protector is created, and the clear key is removed.

For more information about the recovery key and how to access it, see Recovery keys: Frequently asked questions.

  1. If you have performed a clean install of Windows 8.1, device encryption is turned on by default. If you have upgraded a previous Windows installation to Windows 8.1, you can turn device encryption on by using PC info.

  2. To open PC info, swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings.)

  3. Tap or click PC & devices, and then tap or click PC info. The Device Encryption section appears at the bottom of the PC info page.

  4. In the Device Encryption section, select Turn On.

  5. Device encryption cannot be turned off on devices running Windows RT. For other devices, in the Device Encryption settings portion of PC info, you can select Turn Off if you want to stop using device encryption for any reason.

If you do not want the devices you are deploying to be automatically protected with device encryption, you can configure the unattend file to enforce the following registry setting:

  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

  • Value: PreventDeviceEncryption equal to True (1)

  • Type: REG_DWORD

Device encryption is subject to BitLocker Group Policy settings; however, its default configuration will conflict with some Group Policy settings. The following list describes the policy settings that should be set to either “not configured” or, if configured, reviewed to ensure that they support device encryption.

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup settings:

    • Any option that requires a startup authentication method other than the TPM.

      Device encryption defaults only allow for the TPM key protector to be configured when the device is encrypted. On Windows x84 and x86 computers an additional protector can be added after the device is encrypted from the BitLocker Control Panel by using the Change how drive is unlocked at startup item.

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Choose how BitLocker-protected operating system drives can be recovered and Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Choose how BitLocker-protected fixed data drives can be recovered settings:

    • Device encryption uses recovery passwords only. If you have configured this Group Policy setting with the option Do not allow 48-digit recovery password, device encryption will be prevented because its only recovery method is the recovery password.

    • Device encryption requires that passwords be backed up to an online storage location. If you have configured this Group Policy setting with the option Save BitLocker recovery information to Active Directory Domain Services unchecked, device encryption will be prevented because device encryption requires that the recovery password be backed up to AD DS if the device is domain-joined.

Enabling Recovery Password protectors to use a FIPS compliant algorithm and be fully functional in FIPS mode will allow BitLocker to be more manageable in FIPS mode.

noteNota
The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management.

To set FIPS compliant mode for Windows, see System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

Changes in functionality include:

  • FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode, which uses the FIPS certifiable algorithm.

  • Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.

  • Recovery unlock using the FIPS certifiable algorithm based recovery password protector work in all cases that currently work for recovery password.

  • When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.

  • FIPS-compliant recovery password protectors can be exported and stored in AD while in FIPS mode.

Prior to Windows Server 2012 R2 and Windows 8.1, when you enabled FIPS compliancy for system cryptography, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. Now, the user can use their BitLocker recovery password to unlock the system running Windows Server 2012 R2 and Windows 8.1. The following list describes the two applications:

  • A recovery password can be created while in FIPS mode

    To comply with FIPS requirements, you can enable the local policy setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. To ensure the BitLocker is turned on for client computers in your organization, you can update your Windows deployment images to have this policy setting. You can continue to use AD to back up recovery passwords as well. You can use these management tools to verify that recovery passwords are created and stored for BitLocker client computers in FIPS mode.

  • Recovery password can be used while in FIPS mode

    When a user in your organization must perform a BitLocker recovery on her computer running Windows 8.1, they can retrieve the recovery password through established channels, such as Help Desk or their IT administrator, enter it into the BitLocker interface, and continue their work.

    Unlock with recovery password is fully functional while in FIPS mode

For more information about how the FIPS-compliant BitLocker recovery passwords fit into your design, see Prepare your organization for BitLocker: Planning and Policies.

¿Te ha resultado útil?
(Caracteres restantes: 1500)
Gracias por sus comentarios

Adiciones de comunidad

Mostrar:
© 2014 Microsoft