This is the fourth blog in our series on using BitLocker with Intune. SuperUser answer discussing the relationship of the Full Volume Encryption Key and Key Protectors.By Luke Ramsdale – Service Engineer | Microsoft Endpoint Manager – Intune.List of the different types of BitLocker key protectors.This means many new computers will come from the factory with BitLocker enabled by default. Since Windows 8.1 BitLocker has been automatically enabled on these devices. Windows may have automatically enabled BitLocker after you completed the Out Of Box Experience (OOBE) if your device supports Modern Standby or is HSTI-compliant. The result of completing this wizard is that your volume encryption key is "protected" and no longer saved to the disk in the clear, meaning your encrypted data is now actually protected from unauthorized access. In the BitLocker Drive Encryption applet click Turn on BitLockerĬhoose one of the options for backing up your recovery key. In Start search manage BitLocker and choose the result from Control Panel I prefer doing so from the Control Panel as it allows you to enable protection without requiring a Microsoft Account:
There are several ways to activate BitLocker in this situation. Until at least one protector is created, BitLocker cannot leave suspended mode and the Windows UI will report that it's waiting for activation. Notice the output of manage-bde -protectors C: -get: PS C:\> manage-bde -protectors C: -get BitLocker uses protectors to control access to the FVEK. The reason BitLocker is "waiting for activation" is because no Key Protectors exist for the volume. New data written to the disk is still encrypted. Instead, suspension makes key used to decrypt the data available to everyone in the clear. Suspension of BitLocker does not mean that BitLocker decrypts data on the volume. To enforce BitLocker protection on this volume, add a key protector.Īccording to Microsoft's documentation about suspending BitLocker: "manage-bde -protectors -add -?" for information on adding more key protectors.īitLocker protection is suspended until key protectors are created for the NOTE: This command did not create any new key protectors. Assuming your volume is C:, run manage-bde -on C: from an elevated Command Prompt (no, this won't turn BitLocker on.it's already on): PS C:\> manage-bde -on c:īitLocker Drive Encryption: Configuration Tool version 4Ĭopyright (C) 2013 Microsoft Corporation. This means they can access your data too. The volume is indeed encrypted but BitLocker is "suspended." This means the Full Volume Encryption Key (FVEK) used to scramble the data is saved to disk in plaintext where anyone can access it. The volume is encrypted but the encryption key is saved "in the clear"
0 kommentar(er)
