Years ago, Bill Gates made a commitment to continually improve the security of Microsoft Windows. Over the years, and even today, Microsoft has stayed true to their founder’s promise. A perfect example is BitLocker full disk encryption. Introduced with Windows Vista, BitLocker has become more advanced in each subsequent version of Windows. Windows 8 doesn’t disappoint as it brings us the most advanced version of BitLocker yet.
Improvements to BitLocker
Let me mention a few improvements to BitLocker in Windows 8. The first of which is BitLocker Pre-Provisioning. Pre-Provisioning allows IT Administrators to enable BitLocker for a drive before Windows 8 is even installed on the PC. The importance of this feature is that it drastically reduces the amount of time a user needs to wait before getting to work. Previous versions of Windows required a user to wait until after the OS was installed, BitLocker enabled, and the entire drive encrypted before they could start using the PC. It’s now possible for the drive to be encrypted with a randomly generated Clear Protector, as Microsoft calls it, before installation so that after the install the user simply finalizes encryption by setting a fully encrypted key.Options for encryption
Next on the list of improvements to mention is the ability to encrypt only used space. This represents a huge change as far as productivity is concerned. Consider this example for a moment:In Windows 7 if you had a 2TB drive with 1GB used and turned on BitLocker, you’d watch as all 2TB were encrypted. The same scenario in Windows 8 could take only 1⁄2000 of the time. This gem of a change is the secret behind Pre-Provisioning only taking mere seconds in some scenarios.
With Windows 8, non-admin users now have the capability to change the BitLocker encryption PIN on their PC. The significance here is that administrators can now set a common initial PIN on a Windows image and then allow users to change the PIN to something unique. Of course, this is a pro/con scenario. Sure it eases deployment concerns for the IT department, but users are always the weakest link in the security chain. Allowing them to change the BitLocker PIN is sure to result in short, insecure PINs.
The solution here is to consider your environment and requirements. If the risk isn’t worth the reward use the Disallow standard users from changing the PIN or password setting in Group Policy. Find this setting living in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives GPO container.
Getting started
Turning on BitLocker in Windows 8 is simple and straightforward. Begin by opening the Charms Bar, clicking on the Search Charm, entering BitLocker in the search textbox, and then click Settings. Click BitLocker Drive Encryption in the results list and you’ll be whisked to the BitLocker Drive Encryption Control Panel Applet.The BitLocker Drive Encryption Control Panel Applet shows the PC’s hard drives, including removable storage such as USB keys and the like. Like I said, it’s as simple as clicking Turn on BitLocker next to the drive letter you want encrypted. BitLocker will do a quick system check, and if all goes well it will ask how you wish to unlock the drive. If you wish to use a password select that option then you’ll be asked to enter and confirm the password and click Next.
The next step is critically important. BitLocker needs to know where to back up the Recovery Key. The Recovery Key is the absolute only way to unencrypt your drive if the password is misplaced. Without the password or the recovery key the drive might as well be a Frisbee.
Due to this important factor, I strongly suggest saving the backup key to your Microsoft Account, a USB drive, or a network share.
Stay secure on the go: USB encryption video
It’s possible to back up the recovery key to Active Directory if you’re working in a domain environment. The recovery information is stored in the computer object, but that is a topic for another article.
Now that the Recovery Key is backed up—you did back it up, right? Select how to encrypt the drive. Choices are used disk space only or entire drive. I suggest used disk space only as it’s a much faster option and one of the benefits to BitLocker in Windows 8.
Are you ready to encrypt this drive? Click Continue and let BitLocker get to work. You’ll be prompted to restart and once the computer comes back up to the Desktop, the drive will start encrypting. There’s really no more to it than that!
What could go wrong?
Before I go letting you believe it’s always sunshine and roses I should mention that you can occasionally run into a roadblock or two. Don’t worry, they don’t happen regularly and are usually not too hard to resolve.One of the most common situations to pop up is an error when you try and turn on BitLocker that “This device can’t use a Trusted Platform Module.” This typically means you’re using an older computer or operating in a virtualized environment. If this happens to you, simply click cancel, run GPEdit.msc to edit Group Policy, navigate to the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives container and double-click the Require additional authentication at startup policy.
The next step will probably jump out at you; check the box next to Allow BitLocker without a compatible TPM, then click OK.
Exit GPEdit.msc and either wait patiently until the next automatic Group Policy update, or be impatient like me and run GPUpdate from a Command Prompt. Either way, once Group Policy updates you can start the BitLocker Drive Encryption wizard without worrying about that pesky error getting in your way again.
Windows 8 BitLocker brings its “A” game by making drive encryption easy for any user. If you’re not using BitLocker already, ask yourself one question: Why not?
-----------------------------------------------------------------------------------------------------------------------
Why You Need Windows 8 Enterprise Now
Many consider Windows 8 Professional to be the version of Microsoft’s flagship desktop OS most suited to enterprises. This isn’t exactly true, as Windows 8 Professional has a big brother of sorts aimed squarely at these organizations. I’m speaking, of course, of the aptly named Windows 8 Enterprise.
Windows 8 Enterprise builds on the foundation of the business features found in Windows 8 Professional. Everything in Windows 8 Professional can be found along with six key additions unique to Windows 8 Enterprise. These include:
- Windows to Go
- DirectAccess
- BranchCache
- AppLocker
- VDI enhancements to improve multimedia rich experiences through RemoteFX
- App Sideloading turned on by default
Windows to Go, arguably the most discussed feature of Windows 8 Enterprise, is a petite version of the OS that can be loaded and run from a USB flash drive. The goal of this is to create a secure, manageable, and portable corporate desktop experience that users can run on any hardware. Bringing their own PC to work, using their home computer, or even using the PC at the local library—it doesn’t matter, as the user will have their corporate desktop once they boot from their flash drive. Even better, at least for the IT department, is that when the user unplugs the flash drive from the PC, no traces of the corporate desktop, or corporate data, is left behind.
As compelling as Windows to Go is, it isn’t without a few drawbacks. First, it takes a bit to create the deployment image. Second, it requires using a certified flash drive of which, at the time of this article, there are precisely four supported manufacturers. Not exactly an overwhelming number. Another possible limitation is that Windows to Go disables the Windows Store by default.
DirectAccess
Possibly the most valuable feature of Windows 8 Enterprise to organizations is DirectAccess. DirectAccess allows mobile corporate PCs and Windows to Go desktops to connect securely into the enterprise network early in the boot process and completely automatically. A user booting a Windows to Go image at the local library would not only be able to process corporate login scripts, but also access files and printers back at the office. Think of it as a VPN without the VPN client. This gem of functionality isn’t new, but it is considerably improved. For one thing, deployment is many times easier in this iteration.
BranchCache
BranchCache is great for organizations with limited WAN bandwidth. Local PCs no longer need to download every file or website from the WAN even though the PC one cubicle over just downloaded the same file. With BranchCache in the mix, local caches serve up previously retrieved content to computers via the LAN, thus preserving the WAN for unique requests. Through its distributed cache mode, even organizations with only a handful of PCs and no resources for a dedicated hosted cache server can benefit from what BranchCache has to offer. BranchCache is also not new, but definitely improved. Improvements to how BranchCache works and deduplication algorithms bring the product to a new level.
AppLocker and App Sideloading
AppLocker is another improved feature from Windows 7 Enterprise that’s essentially whitelisting and blacklisting for software applications. Just as users select approved senders and denied senders to control spam from infiltrating their email, IT admins can use AppLocker to control what apps will, and will not, run on a PC. The IT department can set up one PC with all the organization’s software then, using a wizard, capture that configuration for AppLocker to use as a set of rules. Assign these rules to users or groups, and their PCs will now run only those applications that were present on that reference machine. If for instance they try and install Angry Birds, a big corporate no-way hammer drops down and prevents it. It’s a very effective tool for preventing malware or the lost productivity brought on by a Solitaire addiction.
RemoteFX
The last two benefits of Windows 8 Enterprise are the least impressive. Through enhancements to RemoteFX support and by utilizing a Windows Server 2012 backend, Windows 8 Enterprise users can remotely access their virtualized desktop and have an experience much closer to that of a physical desktop. CAD, 3D video, USB port access and, new to this version of Windows, touchscreen support—all improve the VDI user experience. On the app side, loading or the ability to deploy apps from a custom enterprise app store instead of the Windows Store is enabled by default only in Windows 8 Enterprise. In other versions of Windows 8, it’s turned off and IT has to jump through some extra hoops to get it working. This is really only meaningful to organizations intending to develop and deploy their own custom Windows 8 native applications.
How to get Windows 8 Enterprise
Not only is Windows 8 marketed to organizations rather than consumers, it can only be acquired through methods most consumers aren’t familiar with and, to put it frankly, probably don’t want to become familiar with. Windows 8 Enterprise can be had one of two ways: either through volume licensing or via the lesser-known route of a Windows InTune subscription.
Microsoft volume license customers that have a Windows license with Software Assurance can stroll on over to the Volume License Service Center and download Windows 8 Enterprise immediately. No muss, no fuss, and no extra charge. Of course, these folks probably already know all this.
The less common, but just as effective, route to Windows 8 Enterprise nirvana is through a Windows InTune subscription. Windows InTune is a Microsoft cloud-based system management offering for smaller organizations. For the low price of $11 per month, Microsoft will provide device management, app deployment, virus and malware protection and more, all from the cloud. Part of that “more” that I mentioned is, you guessed it, license rights to download and deploy Windows 8 Enterprise.
Few organizations will realize the value in all of Windows 8 Enterprise’s enhanced feature set. With that said, almost all organizations will be able to find value in at least some of the features. Be it Windows to Go, BranchCache, DirectAccess or AppLocker, there’s gold to be mined from Windows 8 Enterprise. The answer to how much and how valuable is as unique as the organizations who deploy it. If you haven’t explored Windows 8 Enterprise yet, what’s holding you back
0 comments:
Post a Comment