Frequently Asked Questions

How does Bit Locker Encryption protect my Windows 10 Endpoint?
There are two types of data in the world.  There is data at rest and data in motion.

Examples of data in motion is email attachments, file transfers, cloud syncing, web browser communication.

Examples of data at rest is data stored on a cloud drive, data stored on a local drive either as synced data, cached data, etc.

Almost all cloud storage solutions store and transmit data in an encrypted form.

Email, while typically using TLS encryption for the authentication and transmission of data to and from a mail server does not encrypt the contents of that email by default.

This is why we strongly discourage the transmission of sensitive data via email without some sort of security measure such as a password protected file or other means of document control being uitilized.

When it comes to data at rest, by default Windows does not encrypt your drive.  Windows 10 includes a built-in encryption technology called Bit Locker.

Bit Locker requires a startup key in order to unlock an encrypted drive.  The most ideal from of startup key is a Trusted Platform Module (TPM) chip embedded on the motherboard of the computer.
With a TPM chip, Bit Locke can store the startup key within the TPM chip and automatically access it upon startup or reboot without prompting the end user.  The TPM chip is tamper resistant and will know if it has been moved to a different device of similar model motherboard.

Without a TPM chip encrypt endpoint, it is still possible to encrypt your drive using either a USB flash drive to store a startup key on or a password that you get prompted before as soon as your endpoint powers on.

With a flash drive, you must bear in mind that the flash drive must be kept on your person and not left in proximity of your device.  This is because the flash drive and the encrypted drive is all anyone needs to unlock the drive and access data on the drive without end user authentication by mounting the encrypted drive as a secondary drive on a third party endpoint.  The whole point of encryption is to prevent the circumvention of end user authentication via the by passing of authentication in the event the endpoint device is lost or stolen.

By default, Bit Locker will encrypt a drive using 128-bit encryption.  There is extensive philosophical debate on whether or not 256-bit encryption is more secure than 128-bit.  However, the NSA seems to believe one is stronger than the other and we can go into details here on why that is, but for now we will refrain from going into that.

We have tested 256-bit vs 128-bit encryption as far as system performance goes and have found that we get similar impacts on performance with either, when utilizing modern storage technology such as SSD or NVME storage technologies.  We therefore recommend 256-bit encryption when implementing Bit Locker encryption on Windows based Endpoints.

Most modern iOS and Android phones have encryption enabled by default.  Apple MacOS can have encryption enabled but it is not turned on by default.  With all three of these, your cloud account authentication is your startup key to access encrypted data.

With an Azure Joined Windows endpoint, the Bit Locker recovery key can be saved to your Microsoft 365 tenant, where it is retrievable by anyone with Global Admin rights on the tenant.  The recovery key is only needed if the startup key has been lost or corrupted somehow.


 Last updated 06/03/2020 6:49 am

Please Wait!

Please wait... it will take a second!