- Set up a SharePoint 2010 development environment - Mon, Sep 3 2012
- MBAM 2.0 – BitLocker Administration and Monitoring changes in Windows 8 - Thu, Jul 26 2012
- BitLocker in Windows 8 - Thu, Jul 19 2012
BitLocker is an essential tool to keep your corporate data secure. Mobile working is common these days and will further increase in the future; a lost device can pose a serious threat to your business. With BitLocker, you can encrypt your mobile device’s hard disk and make sure that the data on a lost device cannot be recovered except by the owner.
In Windows 8, Microsoft focuses on reducing the time it takes to protect your data with BitLocker, namely with these four new features: pre-provisioning, used disk space encryption, user PIN and password selection, and support of hardware encrypted volumes.
BitLocker, pre-provisioning
With BitLocker, pre-provisioning the hard drive is protected before Windows 8 is installed. This is a major improvement because before you had to install the OS, turn on BitLocker, and wait until the drive was encrypted. Now the user just has to turn on BitLocker, and the drive is instantly protected because BitLocker has already encrypted it. This new volume state is displayed in the BitLocker administration panel with the message “BitLocker waiting for Activation.”
Used disk space encryption
When BitLocker is turned on, it used to encrypt the whole volume. Depending on the performance of your computer, the workload, and the size of the volume, this could take a few hours. BitLocker acts more sophisticated in the new version: it just encrypts the used parts of the volume. This new feature can greatly reduce the time the encryption task needs, especially when it is combined with pre-provisioning.
BitLocker Management Panel in Windows 8
This feature sounds great, and it sure is. However, you should use it only on new hard disks because, with used disk space encryption turned on, BitLocker encrypts only the used parts of your hard disk. But unused parts of a volume can still contain data that is unencrypted and could easily be restored. So the only way to secure your data on a used drive is to encrypt it fully.
User PIN and password selection
The last feature that will speed up and ease BitLocker’s deployment is the user’s ability to set PINs and passwords. Before, administrative privileges were needed. Now you can roll out new computers with BitLocker protected volumes and let the user change the initial standard PIN or password used on all OS deployments. Group Policies, which let administrators set complexity rules for the PINs and passwords, help enforce strong passwords.
Network unlock
In addition to the performance improvements, there is also a new feature I want to mention: network unlock. Network unlock allows the automatic unlocking of a BitLocker encrypted OS volume when a computer boots. The prerequisites are that the computer has to be domain joined, is connected to a trusted wired corporate network, and has a UEFI firmware that supports DHCP. Network unlock will ease the patching process on unattended desktops or servers because there is no need to unlock the BitLocker secured volume manually.
Hardware-encrypted hard disks
Another feature that boosts the performance of the encrypted volumes is the support of hardware-encrypted hard disks. In the past, BitLocker didn’t care whether the hard disk supports encryption or not. It treated them the same way and encrypted the data by using the host’s CPU. BitLocker is now cleverer. It recognizes that a hard disk has encryption hardware, makes use of the hardware, and therefore doesn’t put any stress on the CPU.
As an administrator, you probably don’t want every user to be responsible for managing BitLocker. Therefore, Microsoft offers a tool for BitLocker Administration and Monitoring. A new version of the tool will be released with Windows 8. You can find a short summary of the improvements the new version offers in my follow-up post.
