Microsoft tightens Windows 8 encryption with Windows 8.1 features

Windows 8 encryption is more secure, thanks to Windows 8.1, but admins first must know whether drives are affected and which hardware is required.

In Windows 8.1, Microsoft has jumped on the encryption bandwagon, if not quite in reaction to the National Security Agency. As with with its Surface RT tablet line, Microsoft's Windows 8.1 automatically encrypts disk drives by default. This Windows 8 encryption is active when a Windows 8.1 device is first turned on, and a user would be hard-pressed to know anything was different.

But there is a difference, and it is that the recovery key, which you need to decrypt the files on the protected drive, is not protected until you go through the step of uploading the key either to a Microsoft Account (where it is stored on SkyDrive and is accessible to the device owner from wherever there is an Internet connection) or to Active Directory, which is the way traditional BitLocker encryption in Windows Vista, Windows 7 and Windows 8 has worked.

Here are some details on looking at whether devices are encrypted, ways to manage that encryption, and which devices currently support it.

How to tell whether devices are encrypted

In Windows 8.1, there are two places you can look to see device encryption status.

  • In the Modern (formerly known as Metro) user interface, you can check out Settings and drill down to PC and Devices, then PC Info. There will be a section in the right pane called Device encryption that will report the current status of Windows 8 encryption on the device itself and let you know of any steps you need to take to enable encryption if it is not already on. There is also a button to disable Windows device encryption, but doing this is not a best practice and isn't recommended.
  • In the old-fashioned Disk Management snap-in to the Microsoft Management Console, you can see in the bottom part of the window, where each physical disk is listed, the volumes that are on those disks. Encrypted volumes will display the words BitLocker Encrypted right beside the partition size and file system display.

You can save recovery keys only to a Microsoft account through the Modern interface and the PC Settings screen. There is no Control Panel applet in the traditional desktop interface for managing the encryption.

Group Policy Objects used for BitLocker

While BitLocker can now store recovery keys in SkyDrive as part of the device's Microsoft account integration, enterprises are much more likely to be interested in using Active Directory and Group Policy to manage recovery keys. The BitLocker Group Policy Objects (GPOs) that must be configured are located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

To have recovery keys stored in the directory, use the following Group Policies:

  • Choose how users can recover BitLocker-protected drives (in Windows Server 2008 and Windows Vista)
  • Choose how BitLocker-protected operating system drives can be recovered
  • Choose how BitLocker-protected fixed drives can be recovered
  • Choose how BitLocker-protected removable drives can be recovered

Microsoft TechNet also provides advice on how to prepare Active Directory to receive protected recovery keys.

Hardware requirements for always-on Windows 8 encryption

For a Windows 8 device to be encrypted by default, the following hardware needs to be present, and the following conditions need to be true:

  • Secure Boot support, which requires both an x64 edition of Windows 8.1, not your old-fashioned 32 bit version, and Unified Extensible Firmware Interface, or UEFI, bootware instead of BIOS.
  • A Trusted Platform Module, or TPM, chip, which has been standard issue on most business-oriented laptops since 2008. This chip typically isn't used on inexpensive laptops marketed primarily to consumer channels, although that will likely change as a result of the Windows 8.1 device specifications.
  • Support for connected standby, which is the mode where almost all of the device is put into extremely low-power mode. This does not include the network device, which maintains a connection and wakes up every so often to receive push notifications, emails and other network information. Connected standby requires a solid-state drive, not spinning media; soldered memory that does not come in pluggable SIMMs or DIMMs; and network cards compatible with Network Driver Interface Specification 6.30.

Generally, the connected standby feature is going to hold up the pervasive deployment of device encryption because it generally requires a tablet-like approach to designing a system. But then again, on-the-go devices are the ones that need encryption the most.

This was first published in March 2014

Dig deeper on Endpoint security management tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

3 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close