BitLocker Compliant or Practical? Mixed Message by Microsoft

On one hand, Microsoft says that BitLocker with pre-boot authentication (TPM + PIN) is the recommended best practice (See Here).  On the other, Microsoft admits that BitLocker with their pre-boot authentication “inconveniences users and increases IT management costs.” A mixed message for any IT pro responsible for keeping devices compliant and secure.

Read on to discover the compliance shortfalls of BitLocker and how to address them.

Does Microsoft claim Pre-Boot Authentication not necessary?

Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization.  The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.

Best Encryption

Reach BitLocker’s Full Potential with the BitLocker Toolkit

Best encryption with our BitLocker toolkit

Find the best encryption solution for BitLocker with our BitLocker toolkit

Being a security professional can be tough if you don’t have the right tools for the best encryption. And some of the tools in your arsenal are native encryption solutions, like BitLocker, which provide a strong first step in data security. But with your IT environment growing ever more complex – having multiple devices, operating systems, and strapped resources – it’s time to start managing your environment the smartest way.

Full Disk Encryption, UEFI, Secure Boot and Device Guard

It has been a while since I have written about UEFI, Secure Boot and their impact on Full Disk Encryption (FDE) pre-boot authentication (PBA) so it’s time for an update on what is new in this area, but first here is a recap because this is a bit of an arcane technical subject. UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a standard model for the interface between personal-computer operating systems and platform firmware.   It provides a standard environment for booting an operating system and running pre-boot applications such as the PBA for FDE.   It replaces the traditional legacy BIOS interface that was used with Windows 7 and older systems.   Now that Windows 10 is being widely adopted I expect to see UEFI used on almost all new machines.

BitLocker Windows 10

What’s the 411 on Windows 10?

The official Windows 10 rollout is almost here. After much anticipation, Microsoft will introduce its new operating system on July 29. WinMagic product experts are examining the new operating system’s security features so we can best advise our customers on what those features mean for regulatory compliance and overall security best practices.

Keeping up with the Jones’

The evolution of technology goes at a breakneck pace. Whether it’s new products coming to market or updates to existing products – it’s a never-ending cycle.

As a software company that supports multiple Operating Systems (OS), we’re no different and one of the common questions I’m asked has to do with releasing product updates to support various OS updates.