>Possible due to 1 it boots way faster. As soon as I logged in, I am good to go while on Windows I often had to wait at least half a minute until I was able to actually use the OS
What kind of storage are you running? I'm able to resume work in a few seconds from hibernation, fast start and cold boots on all of my computers.
>OS Partition is encrypted out of the Box in Ubuntu. No third party software necessary.
>Screenshots are so much easier as I can take them without having to copy them into some image editing software to save them. I press Print and bam: Screenshot saved to hard drive.
Windows + PrintScreen
Third party software like ShareX offer far more than that obviously.
>Kill Command over Terminal works so much better than Windows Taskmanager. I start Terminal, pull up my processes, kill the process ID and done. No weird loading around and messages about "Program not Responding" with a close button which does nothing. I kill a process, it is gone. Period.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/taskkill
That's pretty loaded... I'd start by looking at the MS Docs for Bitlocker, since the questions you asked depend on the OS you're running:
BitLocker (Windows 10) - Microsoft 365 Security | Microsoft Docs
Once you're on Windows 10, you'd want to be running TPM 2, UEFI w/ Secure Boot.
If you're not using ConfigMgr, you can still use MBAM for compliance monitoring
Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft Desktop Optimization Pack | Microsoft Docs
You'd use Group Policies for Management
If you're using a local account, yes. If you're using a Microsoft account, still yes, but slightly less easily. About the only way around this is to use whole disk encryption, e.g. Bitlocker.
You can use Microsoft Bitlocker to encrypt your drives without a TPM but there are some caveats with it. Here's their FAQ on it: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq
It varies by operating system. If you are on Windows 10, you should look in to BitLocker. It's really the only option I'm aware of for that platform.
First section fourth paragraph. "provides the option", doesn't set it as default.
I would also like to point out that this behaviour is not a bug with dual boot, this is an observable behaviour on all systems I have tried it on.
You're linked picture also shows the "Change how drive is unlocked at startup" option. Try investigating what is set by default before running your mouth.
I kept my insults PG, you insulted my intelligence, now you're swearing. I think you defeated your own point here.
I think you misunderand, I don't use BitLocker for this reason. Due to the as proven behaviour of BitLocker. This also isn't isolated to domained systems.
I didn't address the rest of your comment as it wouldn't have added anything to my previous post.
I'm not ill tempered, I just don't like people on the internet thinking that they know how to do my job, and then questioning my intelligence when they 'think' they know better.
​
I shall address your previous post as requested:
The picture you linked is not from Microsoft and also shows a fixed data drive not a system drive. System drives behave differently as they are the system drive.
The TPM acts as a device based authentication token, much like the option to use a USB device to unlock drives. The TPM just happens to be inside the PC and non removable.
A lot of NDA's do cover IP ownership of any work done whilst under the employ of a company. That is only in so far as to direct your attention to what is covered by the NDA. 'This' belongs to the company, 'this' does not.
​
>Anyone could just steal a Windows 10/11 laptop and get in to your personal files.
Not necessarily the case with BitLocker: BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
BitLocker is only included in the Home versions if your hardware currently supports it and specific procedures are met:
Nailed it! Came here to suggest BitLocker as well.
BitLocker will keep the physical HDD/SSD safe should the computer get stolen or someone attempts to hook up unauthorized USB devices to copy data to. BitLocker will lock the drive up to prevent data theft.
Any content added to the encrypted disk is automatically encrypted.
I have a question regarding BitLocker. What type of protection does this offer?
I see two Microsoft URL's:
Both have a similar quote:
> You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
However, this doesn't really tell me much. When is the data decrypted? For example, if my laptop is booted up and is at the Windows 10 login screen, is the data still encrypted? Is the data only decrypted when I actually login to my account?
What about Live CD's/USB's (such as an Ubuntu Live USB)? If someone inserts a bootable Ubuntu USB, will they be able to see the contents of the drive?
You can find more support articles via search.
Bitlocker turns on instantly, but drives will take some time to be encrypted machine can be used during encryption process.
The drive requires decryption key for any access. It cannot be booted without PIN or recovery key provided. The actual decryption key is stored in TPM module and PIN is to access it. Recovery key is last resort if TPM cannot be read. DO NOT LOSE RECOVERY KEY!!!
Can you explain “cold boot attacks”. The drive cannot be booted without decryption key.
Pre-boot PIN adds extra layer of protection to ensure that drive can only be booted by authorized users.
Not sure how Linux plays with Bitlocker volumes, but you’ll need the recovery key to access the drive, even from another Windows machine.
Unless you need Bitlocker (encrypt the entire drive) https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
> WIP helps to protect against potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees bring to work, without requiring changes to your environment or other apps.
and Windows Information Protection
> WIP helps to protect against potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees bring to work, without requiring changes to your environment or other apps.
​
You should be good with Windows 10 Home, which will save you a chunk of change
You can use bitlocker using a software based solution and a spare flash drive.
Here is a guide but I would also recommend that you check out the official Documentation for more information.
Incorrect.
Ctrl-F 'you can enable BitLocker on an operating system drive without a TPM '
Are you using a local or Microsoft account to log into the PC? For local you can get a hardware key, like Yubikey. It’s a hardware device that has to be plugged in and verified with a PIN that’s encrypted on the device.
If you are concerned with data security, use whole disk encryption, like Bitlocker, so that your data can’t be read from the drive if someone boots the PC with another OS.
Speaking of which, if you want to prevent machine from being booted with external devices, set a BIOS password, then disable all boot options except internal hard drive.
This might be a good read:
>BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
I have it enabled on the boot drive of one laptop (my other laptops aren't supported) and I log into windows with my normal password. It will protect my data if someone should remove the drive from my laptop.
We use BitLocker at work for fixed and removable drives but haven't seen that option either (even on my Windows 10 machine which is 1909).
Going through the process of encrypting the OS drive gave me the standard options of 'Print', 'USB' and 'Cloud storage'.
If your recovery key doesn't work then as far as I know, it is essentially locked until you format it again. Do you have the option to display the encryption identifier which would usually help when using recovery keys to ensure it is the correct one.
I have also not heard of the BitLocker encrypting the MBR as I believe the newer version require UEFI bootloaders.
Unfortunately, I don't believe you can recover from this if we assume the drive has been encrypted and you don't have a way to disable the encryption.
You can use Bitlocker with Windows Defender disabled. The two are unrelated.
​
1) I just tried it in a VM for you. Here is Bitlocker running with Windows Defender disabled via GPO
​
2) There are no such requirements specified in the Microsoft documentation
​
​
3) I manage PCs using In-tune and all the settings for Bitlocker and Windows Defender are separate.
​
But (1) Is the best evidence...
​
Saying that, Windows Defender ATP is going to provide better security than most other solutions at an enterprise level, so I don't know why anyone would want to disable it.
You're doing two things at once here, converting to UEFI and enabling BitLocker.
UEFI mode is not a prerequisite of BitLocker.
Do you existing laptops have the separate reserved system partition outlined here? https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
We're about to rollout Bitlocker to all endpoints in our Enterprise as well. Not sure of your exact environment but we will be using MBAM and SCCM to configure and manage our deployment.
Here's a good video from Ignite 2016.
Before you go rushing into turning it on in response to GDPR, make sure to review the planning and overview guide(s).
EDIT: corrected typo.