BitLocker Changes in Windows 8

Windows BitLocker Drive Encryption is a Windows data-protection feature that Microsoft first made available in Windows Vista. BitLocker offers volume-level encryption for data stored on Windows client and server platforms. The feature protects the data when the Windows system is offline (e.g., when the OS is shut down) and can prevent data breaches such as the theft of confidential data on laptop computers. (See also, "Microsoft BitLocker Administration and Monitoring").

Microsoft has continued to improve BitLocker functionality in successive Windows releases, to allow it to protect more drive and device types. In the first version of BitLocker, which shipped with Windows Vista and Windows Server 2008, only one volume -- the OS drive -- could be BitLocker-protected. In Vista SP1 and Server 2008, Microsoft added support for BitLocker protection of different volumes, including local data volumes. In Windows 7 and Server 2008 R2, Microsoft added BitLocker support for removable data volumes (i.e., memory sticks and external data drives), a feature that Microsoft refers to as BitLocker To Go. In the next version of Windows, code-named Windows 8, Microsoft extends BitLocker's protection reach through support for failover cluster volumes and SAN storage.

But Windows 8 also comes with an important set of BitLocker usability enhancements that can significantly reduce the time it takes to enable BitLocker protection. These enhancements are BitLocker pre-provisioning, used disk space–only encryption, and standard user PIN and password selection. In this article, I provide more details about these new BitLocker features and how you and your organization can leverage them.

BitLocker Pre-Provisioning

In Windows 8, administrators can enable BitLocker for a volume before the OS is installed. Microsoft refers to this as BitLocker pre-provisioning. Thanks to pre-provisioning, users can rapidly implement BitLocker protection for their data. Users don't need to wait for the encryption process to finish when they turn on BitLocker after Windows has been installed. In Vista and Windows 7, users must wait until the Windows OS has been installed, BitLocker has been enabled, and the entire encryption process has finished.

During pre-provisioning, Windows generates a random encryption key that BitLocker then uses to encrypt the volume. Microsoft calls the random encryption key a clear protector because it is stored on disk in an unprotected way. After Windows is installed, users can fully protect the encryption key for the pre-provisioned volume by activating BitLocker on the volume and selecting a BitLocker unlock method.

Administrators can enable BitLocker pre-provisioning from the Windows Preinstallation Environment (WinPE) by using the Manage-bde BitLocker command-line utility. WinPE is a lightweight Windows environment that is used for installing the Windows OS. For example, to pre-provision BitLocker on your F drive, type the following Manage-bde command at a WinPE command prompt:

manage-bde -on f: 

Note that you need a customized WinPE image to make Manage-bde work in WinPE. (By default, WinPE doesn't include the Manage-bde tool or the Windows Management Instrumentation -- WMI -- objects that Manage-bde leverages.) To create this custom WinPE image, you must add the optional WinPE-WMI and WinPE-SecureStartup components, as described in the Microsoft article "Building a Windows PE Image with Optional Components."

To support pre-provisioning, Microsoft is introducing a new BitLocker status for volumes: BitLocker Waiting for Activation. When a volume is pre-provisioned, it shows up with this status and a yellow exclamation icon in the BitLocker Drive Encryption Control Panel applet, as Figure 1 shows for drive F. The exclamation-point icon highlights the fact that the encryption key is still unprotected.

Figure 1: Windows 8 BitLocker status codes 

Just as you would for a regular BitLocker enablement, you can use the BitLocker Drive Encryption applet, the Manage-bde command-line tool, or Windows PowerShell BitLocker cmdlets to activate BitLocker after it has been pre-provisioned. Depending on the volume that you're protecting, you can also choose one of the following BitLocker unlock methods:

Five options for OS drives:

Three options for fixed and removable data drives:

See the Microsoft article " How Strong Do You Want the BitLocker Protection?" for a nice comparison of the unlock methods and their pros and cons. 

Used Disk Space Only Encryption

Windows 8 BitLocker supports a new encryption option that encrypts only the used space on a protected volume. Used disk space–only encryption makes the encryption of empty or partially empty volumes much faster. In previous Windows versions, BitLocker has only one encryption option: encrypt everything -- the data as well as all free space.

Administrators can combine used disk space–only encryption with BitLocker pre-provisioning. Enabling BitLocker on largely empty drives then becomes a process that takes mere seconds. This process can be invoked easily from automated Windows deployment processes and programs, by using Manage-bde or the BitLocker PowerShell cmdlets.

To enforce the use of either used disk space–only encryption or full encryption on domain-joined client machines, administrators can use a new set of Group Policy Object (GPO) settings in the Computer ConfigurationAdministrative TemplatesWindows ComponentsBitlocker Drive Encryption container. A new Enforce drive encryption type setting is available for OS, fixed, and removable data drives. These settings obviously can't be applied to pre-provisioning; GPOs can't be enforced before Windows is installed. If administrators don't configure these GPO settings or set the settings to the default Allow user to choose option, then users can select the encryption option in the BitLocker Setup Wizard when they turn on BitLocker protection for a volume from the Windows GUI, as Figure 2 shows.

Figure 2: Choose how much of your drive to encrypt screen 

Microsoft recommends that you use used disk space–only encryption on new PCs and volumes only. Full encryption is the preferred option for volumes that are already in use. This is because free space on a used volume might still hold retrievable and valuable data, and only full encryption can ensure that everything is encrypted.

When you enable BitLocker from the command-line by using Manage-bde and the -on switch, BitLocker uses full encryption. If you want BitLocker to use used disk space–only encryption, then you must add the -usedspaceonly switch after the -on switch, as Figure 3 shows.

Figure 3: Using the Manage-bde command-line tool 

Standard User PIN and Password Change

The final new BitLocker feature that can significantly reduce and ease BitLocker deployment in Windows 8 is the ability to let a standard user (i.e., a non-administrator) to change the BitLocker unlock PIN (for OS drives) or password (for fixed data drives). This capability allows your IT staff to enable BitLocker and set the same initial PIN or password on all PC images during the automated Windows deployment process. Your users can then change this initial PIN or password after the installation.

In Windows 8, standard users are entitled by default to change a volume's BitLocker PIN or password. In the BitLocker Drive Encryption applet, you'll see that the Change PIN and Change password actions aren’t marked with a shield icon, as Figure 1 shows. You can change this behavior by using the Disallow standard users from changing the PIN or password GPO setting in the Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives GPO container. Even though this setting shows up only in the Operating System Drives GPO container, it applies to both OS and fixed data volumes.

Standard users obviously can change the password or PIN only when they know the current PIN or password. By default, a user has five attempts to enter the correct current PIN or password. When the retry limit is reached, the user is blocked from changing the PIN or password. The retry count can be reset to zero when an administrator resets the volume PIN or password or when the system is rebooted.

This feature also allows users to choose PINs and passwords. Often, this capability isn’t to security's advantage: Users tend to use simple passwords and PINs. That's why you should always use GPO settings to enforce the BitLocker password and complexity rules. To control password complexity, you can use the Configure use of passwords for GPO setting, which is available for each of the three protected drive types (i.e., OS, fixed data, removable data) in the Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption GPO container, as Figure 4 shows for fixed data drives. To apply this BitLocker password-complexity requirement setting, you must also make sure that the Password must meet complexity requirements GPO setting in Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy is enabled. In Windows 8, this setting is enabled by default.

Figure 4: Configuring the use of passwords for fixed data drives 

Network Unlock

Network Unlock is a new unlock method for BitLocker-protected OS volumes. Network Unlock allows for the automatic (i.e., without user intervention) unlocking of a BitLocker-protected OS volume when a Windows domain-joined desktop or server boots. In earlier Windows versions, BitLocker-protected OS volumes that are unlocked by using the combination of a TPM secret and a PIN code require an administrator to enter a PIN whenever the machine boots or returns from hibernation. This requirement makes it difficult to automatically install software and security patches on these machines.

Network Unlock works like the TPM plus startup key unlock method. Instead of reading a startup key from a USB medium, Network Unlock uses an unlock key. This key is composed of a key that is stored on the machine's local TPM and a key that Network Unlock receives from a Windows 8 Windows Deployment Services (WDS) server on the trusted network. If the WDS server is unavailable, then BitLocker displays the standard startup key unlock screen. (See also, "Q: What is BitLocker Network Unlock?").

Administrators can use the new Allow Network Unlock at startup GPO setting to control which client computers can use Network Unlock. This setting is in the Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives GPO container.

The key exchange between the BitLocker-protected client and the WDS server uses DHCP. The Windows 8 WDS server role must have the optional BitLocker Network Unlock feature installed to allow the WDS server to handle and reply to the incoming Network Unlock DHCP requests. Figure 5 shows how to install the BitLocker Network Unlock option as a feature for the WDS server role in the Windows 8 Add Roles and Features Wizard.

Figure 5: Adding the BitLocker Network Unlock feature for the WDS server role 

On the client side, Network Unlock requires the client hardware to have a DHCP driver implemented in its Unified Extensible Firmware Interface. UEFI is an industry specification that defines a software interface between the OS and the platform firmware.

The WDS server also needs a special X.509 certificate and associated private key; this certificate must be present on all clients that will use Network Unlock. For more details about what the content requirements of the Network Unlock X.509 certificate are, how to generate it, and how to push it to your clients, see the Microsoft "Understand and Troubleshoot BitLocker in Windows Server '8' Beta" guide. 

Extended Storage Support

In Windows 8, Microsoft extends the use of BitLocker by enabling it to protect data on failover cluster volumes and SANs. Windows Server 8 BitLocker supports the creation of encrypted volumes on a Windows failover cluster. This applies to both physical disk resources, which can be accessed only one cluster node at a time, and cluster shared volumes (CSVs), which can be accessed by different cluster nodes simultaneously. CSV BitLocker support requires CSV version 2.0 (CSv2.0), which Microsoft introduces in Windows Server 2012.

BitLocker can now also support protected OS and data volumes that are stored on a SAN and accessed through iSCSI or Fibre Channel. BitLocker for SAN storage supports used disk space–only encryption, which is important for enabling BitLocker on large data volumes.

Finally, Windows 8 BitLocker supports a new type of disk drive that provides hardware-based encryption: Encrypted Hard Drives (EHDs). Microsoft provides an integrated interface for managing EHDs and BitLocker; this interface is basically an extension of the BitLocker Drive Encryption applet. EHDs and BitLocker each use a different approach for encryption. BitLocker protects system and data volumes by using volume-level and software-based encryption. Volume-level encryption is encryption that occurs on the volume level. Software-based encryption takes place in software.

EHDs provide Full Disk Encryption (FDE) and hardware-based encryption. FDE occurs on the disk level (i.e., on each block of a physical drive). Hardware-based encryption is encryption that is offloaded to the drive's storage controller, making encryption operations more efficient.

In Windows 8, Device Manager will identify EHDs and integrate them into the OS. EHDs for Windows 8 require compliance with specific Trusted Computing Group (TCG)  and IEEE 1667 standards. You can also find more details about EHDs and about BitLocker support for SAN storage and failover clusters in "Understand and Troubleshoot BitLocker in Windows Server '8' Beta." 

We've Come Far

BitLocker has come a long way since it was introduced in Vista. By adding new features and optimizing and refining existing features, Microsoft has significantly extended BitLocker's reach. In the meanwhile, Microsoft has gone to great efforts to make the BitLocker documentation more usable and down-to-earth. A good example is the BitLocker FAQ  that Microsoft recently released. Add to this the Microsoft BitLocker Administration and Monitoring (MBAM) tool, which I discussed in my previous article "Microsoft BitLocker Administration and Monitoring,"  and you can see that BitLocker is much more ready for enterprise prime time than it used to be.