– Turn on device encryption
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see BitLocker. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows operating system.
More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
Table 2 lists specific data-protection concerns and how they’re addressed in Windows 11, Windows 10, and Windows 7. The best type of security measures is transparent to the user during implementation and use. Every time there’s a possible delay or difficulty because of a security feature, there’s strong likelihood that users will try to bypass security.
In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. Basically, it was a big hassle. Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM.
There’s no need to go into the BIOS, and all scenarios that required a restart have been eliminated. BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction.
Combined with Used Disk Space Only encryption and a mostly empty drive because Windows isn’t yet installed , it takes only a few seconds to enable BitLocker. With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment.
Microsoft has improved this process through multiple features in Windows 11 and Windows Beginning in Windows 8. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices.
BitLocker device encryption further protects the system by transparently implementing device-wide data encryption. Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:. Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:.
In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. After that, different BitLocker settings can be applied. BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume including parts that didn’t have data. That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted.
In that case, traces of the confidential data could remain on portions of the drive marked as unused. But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they’re overwritten by new encrypted data.
In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it’s written to the disk.
Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. If you plan to use, whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
For more information about encrypted hard drives, see Encrypted Hard Drive. An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. It’s crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users.
This protection shouldn’t be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in.
Challenging users for input more than once should be avoided. Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place.
The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. For more information, see BitLocker Countermeasures. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files.
This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials.
Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don’t require a PIN for startup: They’re designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see Protect BitLocker from pre-boot attacks. Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn’t leave the building or be disconnected from the corporate network.
Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs.
Network Unlock requires the following infrastructure:. MBAM 2. Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July , or they could receive extended support until April For more information, see Features in Configuration Manager technical preview version For more information, see Monitor device encryption with Intune.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Important Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July , or they could receive extended support until April Submit and view feedback for This product This page.
View all page feedback. In this article. Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks. Network Unlock allows PCs to start automatically when connected to the internal network. BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers.
BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password.
I would like to add that Windows defaults to bit encryption. Did anyone proof read this? This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows. See all comments To turn off BitLocker you must be logged in as an administrator.
BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it. Windows will require a BitLocker recovery key when it detects a possible unauthorized attempt to access the data. Oct 11, · Recently I looked into enabling “BitLocker Drive Encryption” on Windows 10 Pro. After enabling it, I discovered that “Device Encryption” under Settings -> Update and Security -> Device Encryption was already enabled. This is a new Lenovo laptop from 12/, bought from Lenovo with Windows 10 installed. Oct 27, · Here is how you can do it: Open Control Panel. Head to View by and select Large icons or Small icons. Click BitLocker Drive Encryption. If you need more information when checking information about one of the drives on your computer, try the next 2 methods. 3. Check BitLocker’s Status With the Command Prompt.