Get started Bring yourself up to speed with our introductory content.

Microsoft tightens Windows 8 encryption with Windows 8.1 features

Windows 8 encryption is more secure, thanks to Windows 8.1, but admins first must know whether drives are affected and which hardware is required.

In Windows 8.1, Microsoft has jumped on the encryption bandwagon, if not quite in reaction to the National Security Agency. As with with its Surface RT tablet line, Microsoft's Windows 8.1 automatically encrypts disk drives by default. This Windows 8 encryption is active when a Windows 8.1 device is first turned on, and a user would be hard-pressed to know anything was different.

But there is a difference, and it is that the recovery key, which you need to decrypt the files on the protected drive, is not protected until you go through the step of uploading the key either to a Microsoft Account (where it is stored on SkyDrive and is accessible to the device owner from wherever there is an Internet connection) or to Active Directory, which is the way traditional BitLocker encryption in Windows Vista, Windows 7 and Windows 8 has worked.

Here are some details on looking at whether devices are encrypted, ways to manage that encryption, and which devices currently support it.

How to tell whether devices are encrypted

In Windows 8.1, there are two places you can look to see device encryption status.

  • In the Modern (formerly known as Metro) user interface, you can check out Settings and drill down to PC and Devices, then PC Info. There will be a section in the right pane called Device encryption that will report the current status of Windows 8 encryption on the device itself and let you know of any steps you need to take to enable encryption if it is not already on. There is also a button to disable Windows device encryption, but doing this is not a best practice and isn't recommended.
  • In the old-fashioned Disk Management snap-in to the Microsoft Management Console, you can see in the bottom part of the window, where each physical disk is listed, the volumes that are on those disks. Encrypted volumes will display the words BitLocker Encrypted right beside the partition size and file system display.

You can save recovery keys only to a Microsoft account through the Modern interface and the PC Settings screen. There is no Control Panel applet in the traditional desktop interface for managing the encryption.

Group Policy Objects used for BitLocker

While BitLocker can now store recovery keys in SkyDrive as part of the device's Microsoft account integration, enterprises are much more likely to be interested in using Active Directory and Group Policy to manage recovery keys. The BitLocker Group Policy Objects (GPOs) that must be configured are located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

To have recovery keys stored in the directory, use the following Group Policies:

  • Choose how users can recover BitLocker-protected drives (in Windows Server 2008 and Windows Vista)
  • Choose how BitLocker-protected operating system drives can be recovered
  • Choose how BitLocker-protected fixed drives can be recovered
  • Choose how BitLocker-protected removable drives can be recovered

Microsoft TechNet also provides advice on how to prepare Active Directory to receive protected recovery keys.

Hardware requirements for always-on Windows 8 encryption

For a Windows 8 device to be encrypted by default, the following hardware needs to be present, and the following conditions need to be true:

  • Secure Boot support, which requires both an x64 edition of Windows 8.1, not your old-fashioned 32 bit version, and Unified Extensible Firmware Interface, or UEFI, bootware instead of BIOS.
  • A Trusted Platform Module, or TPM, chip, which has been standard issue on most business-oriented laptops since 2008. This chip typically isn't used on inexpensive laptops marketed primarily to consumer channels, although that will likely change as a result of the Windows 8.1 device specifications.
  • Support for connected standby, which is the mode where almost all of the device is put into extremely low-power mode. This does not include the network device, which maintains a connection and wakes up every so often to receive push notifications, emails and other network information. Connected standby requires a solid-state drive, not spinning media; soldered memory that does not come in pluggable SIMMs or DIMMs; and network cards compatible with Network Driver Interface Specification 6.30.

Generally, the connected standby feature is going to hold up the pervasive deployment of device encryption because it generally requires a tablet-like approach to designing a system. But then again, on-the-go devices are the ones that need encryption the most.

Dig Deeper on Endpoint security management tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Only someone with the right encryption key like a password can unscramble and read it. Device encryption helps block hackers from getting the files they need to steal your password. If your PC itself is lost or stolen, device encryption also helps keep other people from accessing your data by physically installing your locked drive in a different PC. Even if your PC is encrypted, you can still sign in to Windows and use your files as you normally would.
Very sad though that one has to store their key out on Microsoft's Onedrive if they're not connected to AD. Thank you M$ and Big Brother for being in bed together yet again. I'll stick with 3rd party encryption you don't control.
This only applies to 8.1 Pro ... BitLocker is not available on standard 8.1

Also, not happy about M$ holding the keys, although it could be back-doored anyway, regardless if they didn't hold the keys in OneDrive; essentially how can we trust this particular US company with encryption when they don't even allow decent passwords on