What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, which the author will be aware of.
Embed code for: Government Bitlocker to Go Presentation
Select a size
Bitlocker To Go for USB encryption
Surface & Windows
Microsoft HK Ltd
BitLocker Drive Encryption Overview
Benefits of Using Bitlocker
Bitlocker does Not need agent deployment
USB drive encrypted with Bitlocker can be accessed by Windows XP, Vista, 7, 8.1 and 10
Bitlocker provides offline protection to all types of files and folders
Bitlocker has tight integration with Active Directory to ease out Recovery Management
Group Policy to handle all configurations
Detailed Compliance Reports for the organization
Bitlocker has whole disk/used disk scenarios to reduce overall encryption time
License for using Bitlocker also covers Windows 10 Enterprise!
BitLocker Drive Encryption in Windows 7/10
BitLocker and BitLocker To Go Overview
Leveraging existing investment in Windows 7/10
BitLocker is a data protection feature of Windows® 10 operating system
Does not require purchase of a third party product
Available in Professional, Enterprise, Education editions of Windows 10
Full Volume Encryption technology
Integrated with Trusted Platform Module (TPM) technology for secure, tamper-resistant key protection
Can protect system drives, additional data drives, and removable USB/Flash drives
Can provide boot environment verification to protect against tampering
Encrypts system files, including operating system files, pagefile, hibernation file, configuration, and more
Combinations of key protection: PIN, USB key or TPM only
Offers multiple key recovery alternatives, including backup to Encrypted SQL Server, Active Directory® (AD) directory service and recovery password
BitLocker key requirements
TPM version 1.2 or 2.0
A TPM is not a MUST for BitLocker; however, only a computer with a TPM can provide the additional security of pre-start-up system integrity verification and multifactor authentication.
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
The boot order must be set to start first from the hard disk, and not the USB or CD drives.
The firmware must be able to read from a USB flash drive during startup
For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.
For details, https://technet.microsoft.com/en-us/library/dn383581(v=ws.11).aspx
BitLocker limitations highlights
BitLocker cannot protect attacks from ransomware
BitLocker does not support TPM 1.1 or before
What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
Changing any boot configuration data (BCD) boot entry data type settings
BIOS boot order, BIOS/Firmware/TPM upgrade, add/remove hardware, OS language pack ( for all users ), changes to MBR / boot manager, motherboard
Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker.
For details, https://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_R2disks
Securing the Resources - Protecting Sensitive Data
BitLocker and BitLocker to Go
Support e-token with X.509 certificate as encryption protector
Group Policy to Enforce BitLocker Drive Encryption
BitLocker to Go (W7/10)
Controlled by Group Policy
Unlock by passphrase, Smart Card, or with domain credentials
Windows ® XP SP3 operating system and Windows® Vista operating system users can read Windows® BitLocker To Go® drive encryption technology devices using the passphrase
Share existing Encrypting File System (EFS) self-signed Smart Card Certificates with BitLocker
Automatic unlocking of USB drives associated with one computer on successful log-on
Data Drive Key Storage (W7/10)
BitLocker offers a spectrum of protection allowing customers to balance ease-of-use against the threats that most concern them.
Pros: Ease of use, backward compatibility, BitLocker to Go reader
Ease of Use
Pros: Uses a stronger key
Pros: Uses much stronger keys
Cons: Less secure, vulnerable to brute force and dictionary attacks
Cons: Specific to a single machine,
User context if removable
Cons: Requires hardware, not backward compatible
Windows 7/10 BitLocker To Go
Removable data drives
USB flash drives
External Hard Drives
Active Directory backup of recovery password
Robust and consistent Group Policy controls
Ability to mandate encryption prior to granting write access
Gramm-Leach Biley, PCI-DISS, SOX, FISMA and FIPS-compliant (Win10 1511)
BitLocker offers data protection
Operating system drive
Ease-of-use against the threats that most concern
TPM Only, Dongle TPM+PIM, TPM+Dongle, TPM+PIN+Dongle
Active Directory for BitLocker
Recovery data saved for each computer object
Recovery passwords - A 48-digit recovery password
Key package data - Helps recovery if the disk is severely damaged
Recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators
Optionally store recovery information in encrypted SQL
There is only one TPM owner password per computer
There can be more than one recovery password per computer
Active Directory BitLocker Group Policy
Providing the recovery password – By Recovery ID
If the computer name is not available, you can use the BitLocker Recovery Password Viewer after you have obtained the first 8 characters of the Recovery Key ID.
Open the Active Directory Users and Computers snap-in. In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.
In the Find BitLocker Recovery Password dialog box, type the first 8 characters of the recovery password in the Password ID (first 8 characters) box, and then click Search.
MBAM System Overview
Recovery Password Data
Key Recovery Service
Helpdesk UX for Key Recovery
Group Policy: AD, AGPM
Recommended for 50 - 300 users
MBAM High Availability Overview
Web Server 1
SQL Server 1
Web Server 2
SQL Server 2
Recommended for 300 users+
Enterprise Compliance Report
Provides a snapshot of the organization
Number and percent compliant
Total number of computers managed
Last contact date
Computer Compliance Report
Lets you know if a computer is compliant or not
User or Computer
Operating System/FDV/RDV Policy
Hardware Audit Report
Used when you enable Hardware Compatibility Management Policy
Shows you the changes made through the Hardware Compatibility page
Original & current value
Recovery Key Access Audit Report
Who accessed key
Who key was requested for
What was requested
Who has been requesting recovery information
MBAM Support & Operations
Enable Windows Standard Users
Standard users can:
Change PIN or passwords via MBAM Control Panel
Right-Click access to MBAM
Hides BitLocker Control Panel UI so users have a more difficult time:
Done through policy, so can be made visible if desired
IT HelpDesk Support Portal
IT HelpDesk Support Portal Drive Recovery
IT HelpDesk Support Portal Manage TPM
Bitlocker does not need agent deployment
Questions? Steven.lau@Microsoft.com Andyfung@Microsoft.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
So here I have my Surface Pro 4 which has already been setup Windows Hello for facial recognition. I am going to step in front of it and it happens super-fast so watch carefully and see how fast it can authenticate me into the system using bio-metric.
Just like that. Incredible simple user experience. And add more security to traditional password. Microsoft is working closely with other hardware vendor to make this technology to be industry standard.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.d for 50 - 300 users