Configure local accounts

Local accounts, as the name suggests, exist in the local accounts database on your Windows 10 device; they can only be granted access to local resources and, where granted, exercise administrative rights and privileges on the local computer.

When you first install Windows 10, you are prompted to sign in using a Microsoft account or Work Account, such as a Microsoft 365 account that is connected to Azure Active Directory. If neither of these options are available or are suitable to your requirements, you can choose an offline account and create a local account to sign in. Thereafter, you can create additional local user accounts as your needs dictate.

Default accounts

In Windows 10, there are three default local user accounts on the computer in the trusted identity store. This store is a local list of users and groups and is stored as the Security Accounts Manager (SAM) database in the registry. The three accounts are the Administrator account, Default Account, and Guest account.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. When the default administrator account is enabled, it requires a strong password. Another local account called the HelpAssistant account is created and enabled when a Windows Remote Assistance session is run. The HelpAssistant account provides limited access to the computer to the person who provides remote assistance. The HelpAssistant account is automatically deleted if there are no Remote Assistance requests pending.

When you install Windows 10 using a local account, you can create additional user accounts and give these accounts any name that is valid. To be valid, the username

• Must be from 1 to 20 characters

• Must be unique among all the other user and group names stored on the computer

• Cannot contain any of the following characters: / [ ] : ; | = , + ? < > “ ” @

• Cannot consist exclusively of periods or spaces

The initial user account created at installation is a member of the local Administrators group and therefore can perform any local management task on the device. You can view the installed accounts, including the default accounts, by using the Computer Management console, as shown in Figure 2-1. If you cannot find the Local Users And Groups section within Computer Management, then you are probably running Windows 10 Home Edition, which does not have the Local Users And Groups Microsoft Management Console (MMC) snap-in.

You can also use the net user command-line tool and the get-wmiobject -class win32_useraccount Windows PowerShell cmdlet to list the local user accounts on a device.

Managing local user accounts

You can manage local user accounts by using Computer Management (except with Windows 10 Home edition), Control Panel, the Settings app, and Windows PowerShell.

Using Computer Management

To manage user accounts by using Computer Management, right-click Start and then click Computer Management. Expand the Local Users And Groups node and then click Users. To create a new user, right-click the Users node and click New User.

In the New User dialog box, configure the following properties, as shown in Figure 2-2, and then click Create.

• User Name

• Full Name

• Password

• User Must Change Password At Next Logon

• User Cannot Change Password

• Password Never Expires

• Account Is Disabled

After you have added the new user account, you can modify more advanced properties by double-clicking the user account. On the General tab, you can change the user’s full name and description and password-related options. On the Member Of tab, you can add the user to groups or remove the user from groups. The Profile tab, shown in Figure 2-3, enables you to modify the following properties:

• Profile Path This is the path to the location of a user’s desktop profile. The profile stores the user’s desktop settings, such as color scheme, desktop wallpaper, and app settings (including the settings stored for the user in the registry). By default, each user who signs in has a profile folder created automatically in the C:UsersUsername folder. You can define another location here, and you can use a Universal Naming Convention (UNC) name in the form of \ServerShareFolder.

• Logon Script This is the name of a logon script that processes each time a user signs in. Typically, this will be a .bat or .cmd file. You might place commands to map network drives or load apps in this script file. It is not usual to assign logon scripts in this way. Instead, Group Policy Objects (GPOs) are used to assign logon and startup scripts for domain user accounts.

• Home Folder This is a personal storage area where users can save their personal documents. By default, users are assigned subfolders within the C:UsersUsername folder for this purpose. However, you can use either of the following two properties to specify an alternate location:

  • Local Path A local file system path for storage of the user’s personal files. This is entered in the format of a local drive and folder path.

  • Connect A network location mapped to the specified drive letter. This is entered in the format of a UNC name.

Using the Settings App

The preferred way to manage local accounts in Windows 10 is by using the Settings app. From Settings, click Accounts. As shown in Figure 2-4, on the Your Info tab, you can modify your account settings, including:

• Sign In With A Microsoft Account Instead You can sign out and sign in using a Microsoft account.

• Create Your Picture You can browse for an image or take a selfie if your device has a webcam.

• Create A Microsoft Account You can create a new Microsoft account using this option.

If you need to add a new local user account, click the Family & Other Users section and then click Add Someone Else To This PC.

Windows 10 requires you to then enter that person’s email address, typically the address they use to sign in to Office 365, OneDrive, Skype, Xbox, or Outlook.com.

If you do not have the recipient’s email address, you can still add a local account by using the following procedure:

1. In the Settings app, click Accounts.

2. On the Family & Other Users tab, under Other Users, click Add Someone Else To This PC.

3. In the How Will This Person Sign In dialog box, click I Don’t Have This Person’s Sign-In Information.

4. In the Create Account dialog box, click Add A User Without A Microsoft Account.

5. On the Create An Account For This PC page, type the user name, type a new password twice, provide answers to the three security questions, and then click Next to create the local account.

6. The account is listed under Other Users.

$Password = Read-Host -AsSecureString
<<Enter Password>>
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "User 3 "

Built-In Local Groups

You can add your own groups, change group membership, rename groups, and delete groups. It is best practice to use the built-in groups wherever possible because these already have the appropriate permissions and are familiar to other administrators. Some of the built-in local groups are special groups that Windows 10 system requires (and cannot be managed).

Some of the following local groups that are created on Windows 10 devices together with their uses are shown in Table 2-1.

Table 2-1 Built-in Local Groups

In Table 2-1, you saw that Administrators group members have full permissions and privileges on a Windows 10 device. A member of the Administrators local group can perform the following tasks:

• Access any data on the computer

• Assign and manage user rights

• Backup and restore all data

• Configure audit policies

• Configure password policies

• Configure services

• Create administrative accounts

• Create administrative shares

• Increase and manage disk quotas

• Install and configure hardware device drivers

• Install applications that modify the Windows system files

• Install the operating system

• Install Windows updates, service packs, and hot fixes

• Manage disk properties, including formatting hard drives

• Manage security logs

• Modify groups and accounts that have been created by other users

• Modify system wide environment variables

• Perform a system restore

• Re-enable locked-out and disabled user accounts

• Remotely access the Registry

• Remotely shut down the system

• Stop or start any service

• Upgrade the operating system

Create and Delete Groups

Only members of the Administrators group can manage users and groups. When creating a new group, the group name is required to be unique on the local computer and cannot be the same as a local username that exists on the computer.

You should make the group name descriptive, and wherever possible, you should include a description of the new group’s function. Group names can have up to 256 characters in length and include alphanumeric characters including spaces, but the backslash () character is not allowed.

To create a new group, follow these steps:

1. Right-click Start and select Computer Management.

2. Open the Local Users And Groups console.

3. Right-click the Groups folder and select New Group from the context menu.

4. In the New Group dialog box, enter the group name. (Optionally, you can enter a description for this group.)

5. To add group members, click the Add button.

6. In the Select Users dialog box, type the username then click OK.

7. In the New Group dialog box, you will see that the user has been added to the group.

8. To create the new group, click the Create button.

To delete a group from the Local Users And Groups console in Computer Management, right-click the group name and choose Delete from the context menu. You will see a warning that deleting a group cannot be undone, and you should click the Yes button to confirm the deletion of the group.

When a group is deleted, all permissions assignments that have been specified for the group will be lost.

Special Identity Groups

There are a number of special identity groups (sometimes known as special groups) that are used by the system or by administrators to allocate to resources. Membership in special groups is automatic, based on criteria, and you cannot manage special groups through the Local Users And Groups console. Table 2-2 describes the special identity groups that are built in to Windows 10.

Table 2-2 Built-in Special Identity Groups

Manage devices in directories

Microsoft has designed Windows 10 to be managed using cloud-based tools such as Microsoft Intune and Microsoft 365 Device Management. As more businesses migrate away from traditional on-premises domain environments to the cloud, you will need to understand how to configure devices to register them in Azure Active Directory.

In this section, you will learn how to register a device so that it can be managed by a work or school using cloud-based services. You will see how to enable device registration and the process of joining devices to Azure Active Directory.

Configure Device Management

Device management requires configuration to ensure that when your users attempt device registration, the process will not fail. By default, the setting is enabled, and it allows all Windows 10 devices that present valid credentials to be managed by your Azure AD.

The Azure portal provides a cloud-based location to manage your devices. To allow registration of devices into Azure AD follow these steps:

1. Sign in as an administrator to the Azure portal at https://portal.azure.com.

2. On the left navigation bar, click Azure Active Directory.

3. In the Manage section, click Devices.

4. Click Device Settings.

5. On the Device Settings blade, ensure that the Users May Join Devices To Azure AD setting is configured to All, as shown in Figure 2-6. If you choose Selected, then click the Selected link and choose the users who can join Azure AD. You can select both individual users and groups of users.

   

6. Click Save.

Within the Azure AD portal, you can fine-tune the process of registering and joining devices by configuring the device settings as listed in Table 2-3.

Table 2-3 Azure AD device configuration settings

Connect devices to Azure AD

Once the pre-requisites have been configured to allow device registration service to take place, you are able to connect devices to Azure AD.

There are three ways to connect a Windows 10 device to Azure AD as follows:

• Join a new Windows 10 device to Azure AD

• Join an existing Windows 10 device to Azure AD

• Register a Windows 10 device to Azure AD

In this section, you will learn the steps required for each method of connecting Windows 10 to Azure AD.

Enroll devices into Microsoft 365

Microsoft 365 is a bundled subscription including Office 365, Windows 10, and Enterprise Mobility + Security. Microsoft 365 comes in three primary bundles:

• Microsoft 365 Business For small- and medium-sized organizations up to 300 users

• Microsoft 365 Enterprise For organizations of any size

• Microsoft 365 Education For educational establishments

With Microsoft 365, you use Azure Active Directory for your identity and authentication requirements, and you can (and should) enroll Windows 10 into device management, so that your users can gain access to corporate resources. Once devices are joined to your Microsoft 365 tenant, Windows 10 becomes fully integrated with the cloud-based services offered by Office 365 and Enterprise Mobility + Security. Microsoft 365 supports other platforms including Android and iOS, which can also be managed as mobile devices. However, only Windows 10 devices can be joined to Azure AD.

View and manage devices in Microsoft 365

Microsoft 365 Business subscription administrators can manage their enrolled devices directly from the Microsoft 365 Business Admin Center Home screen using the Enroll Devices tile, as shown in Figure 2-12. Also, enrolled devices can be managed in the Microsoft 365 Device Management portal.

On the Microsoft 365 Business Admin portal Home screen, both the Device Enrollment link on the Enroll Devices tile and the Device Management option (under Admin Centers) will open the standalone Microsoft 365 Device Management portal. This portal can also be accessed at https://devicemanagement.microsoft.com.

You can perform the following device-related actions on devices from within the Devices section on the navigation bar.

• AutoPilot Including adding new devices to be deployed with the Windows Autopilot service and managing Windows Autopilot profiles that can be applied to devices.

• Policies Including managing existing policies and assigning policies to groups. Add new application policies to Android, iOS, and Windows 10 devices, and add new device configuration polices to Windows 10 devices.

• Manage Including view device details, Factory Reset, Remove Company Data, and Remove Device.

Organizations with a Microsoft 365 Enterprise subscription cannot view or manage devices from the Microsoft 365 Enterprise Admin Center and will need to use the following locations:

• Azure Active Directory https://aad.portal.azure.com

• Intune in the Azure portal https://portal.azure.com

• Microsoft 365 Device Management https://devicemanagement.microsoft.com

From these views, you can manage and interact with the devices enrolled into your Azure AD tenant, including retiring or wiping a device. Also, you can perform remote tasks, such as retiring, wiping, or restarting the device, as shown in Figure 2-13.

Understand NTFS

NTFS is the native file system Windows 10 uses, which is widely used across most Windows operating systems. It offers you the ability to protect and secure folders and files through file- and folder-level security permissions to control access. NTFS offers the following characteristics:

• File-level compression

• Per-user volume quotas

• Symbolic links and junction points

• Volume sizes up to 256 TB

• Support for large volumes—up to 2³²-1 files per volume

• Maximum implemented file size is 256 TB minus 64 KB or 281,474,976,645,120 bytes

• Support for extended-length paths

• Support for long file names, with backward compatibility

• Enterprise-level file and folder encryption

• Support for BitLocker Drive Encryption

• Metadata transactional logging to ensure that file structure can be repaired

• Limited self-healing capabilities

Use File Explorer to manage files and folders

The most common tool used to manage files and folders is File Explorer, which is located on the taskbar and on the Start screen. Typical functions provided through File Explorer include:

• Creating new folders and files

• Viewing and accessing files and folders

• Searching for files and information contained in files

• Managing properties of files and folders

• Previewing contents or thumbnails of files and folders

The Quick Access area is new in Windows 10 and appears at the uppermost left area of the File Explorer navigation pane; it includes pinned shortcuts for frequently used files and folders including the Desktop, Downloads, Documents, Pictures, and Music. As you browse and access files in other folders on your computer, folder shortcuts for these items appear in the right navigation pane under Frequent Folders or Recent Files. You can modify the behavior of Quick Access by right-clicking Quick Access and selecting Options, as shown in Figure 2-14.

On a shared computer, you might want to clear the check boxes for Show Recently Used Files In Quick Access and Show Frequently Used Folders In Quick Access.

Set file and folder permissions

Volumes formatted using either NTFS or the newer ReFS enable you to configure file and folder permissions. NTFS permissions are robust, reliable, and effective, and they enable you to configure granular permissions on both files and folders that determine how individual users and groups can use the objects.

The creator of the resource, such as a file or folder, is automatically assigned the special status of creator-owner, and the creator can grant or deny permissions to it. Administrators and anyone given the Full Control permission also can modify permissions for that file or folder.

To modify permissions to a file or folder, access the Security tab in the object’s properties, as shown in Figure 2-15.

If a user leaves the organization or the account is deleted, an Administrator can take ownership of the files and folders to modify permissions by changing the Owner principal found in the Advanced settings in Properties.

If you have the permission to modify the security settings in the access control list (ACL), you can add or remove users or groups and then grant or deny a specific permission level. In organizations, you assign permissions to groups rather than to multiple users because this minimizes administrative effort.

Review the acronyms relating to objects that you might use when applying security permissions, as shown in Table 2-4.

Table 2-4 Security Permission acronyms

When configuring permissions for files and folders, you can configure basic or advanced permissions. Unless you are seeking a very fine degree of control to a resource, you typically work with basic permissions and assign them to groups and users, as shown in Table 2-5.

Table 2-5 Basic file and folder permissions for NTFS and ReFS

Basic permissions are easier to manage and document. Under the hood, a basic permission is made from a combination of individual advanced special permissions. Consider that permissions for folders can have a different effect on files, as described in Table 2-6.

Table 2-6 Basic NTFS file and folder permissions

Behind the basic permissions is a matrix of 13 advanced permissions that can also be applied to files and folders. Each basic permission is a collection of one or more advanced permissions, as shown in Table 2-7.

Table 2-7 Basic and advanced permissions

It is recommended to use basic permissions unless there is a clear requirement for setting advanced permissions; otherwise, they can become complex and difficult to troubleshoot. If you do use the advanced permissions, it is best practice to document any modifications so that you can review the configuration and, if necessary, reverse the settings.

Many inexperienced users who configure NTFS permissions can complicate the settings on files by setting advanced permissions (frequently using deny permissions) and setting permissions for individual users instead of setting permissions for groups. There is a strict canonical order or hierarchy of how Deny and Allow permissions can interoperate, and the general rule is that a Deny setting prevents an Allow setting.

Review Table 2-8 to understand the relationship between Deny and Allow settings and how the behavior changes, depending on how the setting is applied.

Table 2-8 Allow and Deny NTFS permissions

Although most administrators will use File Explorer to set individual ACLs for files and folders, you can also use Windows PowerShell or the ICACLS command-line utility.

Windows PowerShell offers two cmdlets that you can use to manage file and folder permissions: Get-Acl and Set-Acl. For additional information and examples of how to use these cmdlets, type Get-Help Get-Acl, or Get-Help Set-Acl.

ICACLS enables you to configure and view permissions on files and folders on a local computer. Some of the most common ICACLS parameters and permission masks are shown in Table 2-9.

Table 2-9 Common ICACLS parameters and permission masks

To grant a permission, use the /grant switch, as the following example on an existing file called My New Files within the C:Working Folder shows.

1. Open File Explorer.

2. Navigate to the folder on which you want to set permissions.

3. Click File and then click Open Windows PowerShell As Administrator.

4. Type the following command.

   Click here to view code image

   Icacls 'My new files.rtf' /grant 'Demo:(OI)(M)'

5. Type Icacls ’My new files.rtf’ to view the permissions.

Understand NTFS inheritance

Setting NTFS permissions on hundreds of files and folders would take a long time, especially if each setting were configured manually. Fortunately, you don’t need to because, by default, NTFS and ReFS security permissions are inherited from their parent folder. In this way, permissions will “flow” from top to bottom and follow the folder hierarchy. By default, inheritance is enabled because this facilitates more efficient administration. NTFS enables you to disable inheritance from flowing from a parent folder to the child.

You can review the inheritance status of a file or folder in File Explorer by following these steps.

1. Open File Explorer.

2. Navigate to the folder whose inheritance settings you want to review.

3. Right-click the file or folder, and choose Properties > Advanced.

4. On the Permissions tab, review the permission entries and notice the Inherited From column, as shown in Figure 2-16.

   

Figure 2-16 shows a Disable Inheritance button. If you select this button, you are presented with two choices as shown in Figure 2-17.

In the Block Inheritance dialog box, there are two options, as follows:

• Convert Inherited Permissions Into Explicit Permissions On This Object Prevents inherited permissions from being able to “flow” from top folders to the subfolders. Current inherited permissions are changed by the system from implicit permissions to explicit permissions. This can result in hundreds or thousands of inherited permissions being changed into explicit permissions.

• Remove All Inherited Permissions From This Object Removes all permissions and gives you a folder structure with no permissions set. Care needs to be taken with this option because it is very easy to remove all access—even system access—to the file structure.

The option to convert inherited permissions to explicit permissions on this object stops inheritance from flowing from the parent folders and changes the permissions on all child items from implicit permissions to explicit permissions. You can then modify the permissions.

If you choose the second option, Remove All Inherited Permissions From This Object, you completely remove all permissions. This provides you with a folder structure with no permissions at all.

Both options are powerful and can have far reaching effects. Best practice recommends employing inheritance wherever possible, to ease administration. You should also document and test your outline folder structure before it becomes too large. A big change on a small structure is simple to put in place, whereas modifying a large, established file structure could be cumbersome.

Understanding move, copy, and permissions inheritance

When you need to move or copy a folder from one location to another, you need to understand how NTFS will perform the task with respect to how permissions on the resource are modified. Table 2-10 shows the behavior that NTFS adopts when copying files from one folder to another folder, and between partitions.

Table 2-10 Resultant effect of moving or copying NTFS files

When you copy a file or folder within the same volume or between volumes, the user must have Read permission for the source folder and Write permission for the destination folder.

When you move a file or folder within the same volume or between volumes, you need to have both Write permission for the destination folder as well as Modify permission for the source file or folder. This is because Windows 10 will move the resources (Write) and then delete (Modify) the resources from the source folder once it has completed the copy to the destination folder.

View Effective Access

You might be required to calculate the access that a user has to a resource. Within the Advanced options of an object’s Security settings, you will find the Effective Access tab (previously called Effective Permissions) as shown in Figure 2-18. When setting permissions in a corporate environment you should verify that NTFS permissions are applied correctly and use the Effective Access feature to ensure that the results are as expected.

For example, for a resource, if you assign a user the Read permission and assign the Modify permission to a group that the same user is a member of, the effective access permissions are a combination of the Read permission and Modify permission, which is Modify permission.

When you combine permissions that include Deny permissions, NTFS will evaluate the Deny permissions before the Allow permissions that are set on the same resource with explicit Deny taking precedence over all Allow permissions.

If Deny and Allow permissions are set at different levels within a folder structure, or nested within each other—for example, if Deny is set at the top-level folder and an Allow permission is set at its subfolder—Allow can take precedence and override Deny because the Allow permission is explicit and not implicit.

When assigning permissions to several groups, remember that the security settings have a cumulative effect; you should review the effective permissions obtained for the user by following these steps.

1. Open Windows Explorer.

2. Navigate to the file or folder whose effective permissions you want to view.

3. Right-click the file or folder, click Properties, and click the Security tab.

4. Click Advanced and then click the Effective Access tab.

5. Next to the User/Group, click Select A User.

6. On the Select User Or Group dialog box, click in the Enter The Object Name To Select (Examples) box, enter the name of a user or group, and then click OK.

7. Click View Effective Access.

   You should now see the detailed effective permissions of the user or group for that file or folder.

Be careful when using the Effective Access tool and reviewing permissions on folders that you own since the permissions given to the Creator Owner of the object are not taken into account.

Take ownership of resources

It is possible to remove access to a particular user or group on an object, such as a folder. Sometimes, this happens accidentally when configuring permissions, but typically, it will happen when the user who originally created the resource leaves the organization and the resource is then said to be “orphaned.”

In the Advanced Security Settings dialog box for an object, you will find the Effective Access tab and at the top of this screen, as shown in Figure 2-18, is an option to change the object owner. So long as you have administrative privileges, you can take ownership of the object and allocate it to another user or group. You can reset the permissions of all the folders, files and subfolders using the command-line tool icacls <file name> /reset, using an elevated command prompt.

Resolve NTFS permission issues

The type of security that can be configured on Windows 10 is determined by the file system in place. NTFS is the default underlying file system and it offers several security options, but you may also encounter removable drives or legacy systems that use FAT16, FAT32, or exFAT, which offer less security.

It has been several years since NTFS was established as the default file system of choice for all recent Windows client and server operating systems. NTFS file permissions offer administrators a very powerful tool for granting, controlling, auditing, and denying access to resources. Unlike share-level permissions, NTFS operates at the file level, which means NTFS permissions are applicable to resources shared over a network or accessed locally.

When troubleshooting resource access issues, you need to determine the following:

1. Is the file system in NTFS?

2. Are the files and folders being accessed locally or over the network?

It is easy to test if the file system is using NTFS by checking to see if there is a security tab on the volume on which the resource resides, as shown in Figure 2-19. The Security tab relates to NTFS permissions.

NTFS permissions can be complex and sometimes difficult to manage, especially for a junior or inexperienced administrator. Often the most challenging environment is one in which a newly hired administrator must adopt an enterprise, which has an existing problematic NTFS permission infrastructure in place that has very little documentation. Required small changes can sometimes have unintended consequences, which pose security risks. The role of the system administrator is to optimize data security, and to make sure that data is accessible to the right users. If users are denied access to files to which they have rights or given access to privileged files, it is a major problem that needs immediate remediation.

NTFS permissions are cumulative, which means a user may have been given various group memberships as well as explicit permissions to resources that they are able to access. If a user has not been given any implicit or explicit permissions, they will not have access. If a combination of permissions for a resource has been set, you’ll need to calculate the cumulative effect of all permissions.

Faced with an issue resulting from lack of access or over privilege, you need to start troubleshooting the problem by determining the effective permissions for the files or folders in question. Establish the scope. For example, who does this problem affect, and is it confined to a single user or a group of users? Establishing the effective permissions will allow you to quickly determine permissions that apply and provide you with a starting point.

User-effective permissions are based on the total of all permissions that they have been granted or denied. Take special care to look for any Deny permissions because these are infrequently set. However, when Deny permissions are set, they are very powerful because any explicit Deny permission will have precedence over Allow entries.

Configure folder shares

When you share a folder, other users can connect to the shared folder and its contents across the network. Shared folders available on the network are no different from normal folders, and they can contain applications, corporate data, or private data. Be careful when creating a network share, to ensure that you do not accidentally provide access to a user or group of users who should not have access. By default, everyone on the network is given read access to the share, although you can change this setting.

Normally, a shared folder is located on a file server, but in a small network environment, the sharing can be located on a Windows 10–based computer or network-attached storage (NAS) device. When choosing the device or server, the resources should be available whenever the users need them and, often, this means the server is always on.

By providing a central location for shared folders to reside on, you enable the following features.

• Simplification of management

• User familiarity

• Ease in backing up data

• Consistent location and availability

When a user tries to use resources accessed on a shared folder, the access permissions are determined by taking into consideration both the share permission and the NTFS security permissions. The most restrictive set of permissions prevail to the user.

Ensure that you do not create shared folders where the share permissions (SMB) become the primary access security mechanism. They are more restrictive than the NTFS permissions because users gaining access to the resource locally or by logging on through Remote Desktop would completely bypass SMB permissions. It is therefore essential for NTFS permissions to be configured independently to protect the resource.

To allow access to a locally stored folder across a network, first share the folder. Files contained in folders are also shared, but files cannot be specifically shared independently, except from within a user profile.

Configure Network Discovery

The network discovery feature was introduced in Windows Vista and uses a new layer 2-level protocol called Link Layer Topology Discovery (LLTD). It allows Windows to identify other devices present on the local subnet and, when possible, establish the quality of service (QoS) bandwidth capabilities of the network.

Knowing what is on the network increases the communication between devices. One downside of this increased awareness capability is that the firewall security settings are slightly relaxed. This means that not only does your computer see other network computers and devices, it also becomes discoverable on the network by other Windows clients.

Exam Tip

Administrators working in a domain environment can manage the settings of the two network discovery settings, LLTD Mapper (LLTDIO) and Responder (RSPNDR), in Group Policy settings. The Group Policy settings can be found here: Computer ConfigurationPolicies Administrative TemplatesNetworkLink Layer Topology Discovery.

Network discovery is tightly linked to network location profiles and to Windows Defender Firewall configuration. As we have seen, by default, network discovery is enabled for devices connecting to networks that are assigned the Domain or Private network location profile, but network discovery is disabled on public networks.

To change network discovery settings, from the Network And Sharing Center, click Change Advanced Sharing Settings. As shown in Figure 2-21, you can then configure network discovery for each network location profile.

Create a Share by Using the Shared Folders Snap-In

You can create and manage file shares centrally on your computer by using the Shared Folders snap-in, which can be loaded into an empty Microsoft Management Console (MMC), or the snap-in found in Computer Management.

When you create a new share in the Shared Folders snap-in, the Create A Shared Folder Wizard appears and guides you through specifying the folder path, share name, description, and other settings, as shown in Figure 2-22.

By default, the share name will be the same as the folder name, and permissions for the share are set at read-only access for the Everyone group, but you can choose other options or full customization by completing the underlying Share Permissions discretionary access control list (DACL) page.

The Shared Folders snap-in enables you to view existing shares and modify their properties, including settings such as offline file status, share permissions, and even the NTFS security permissions.

Exam Tip

To launch the Create A Shared Folder Wizard directly from a command prompt, use Shrpubw.exe.

net share MyShareName=c:TempData /remark:"Temp Work Area"

New-SmbShare -Name MyShareName -Path c:TempData

Share Files by Using File Explorer

Files typically cannot be shared without first sharing the parent folder. In Windows 10, files that reside in the user profile, such as Documents, Downloads, and Pictures folders, can be shared. To do this, follow these steps.

1. Sign in to your computer using an administrative user account.

2. Open File Explorer and navigate to the user profile.

3. Right-click a file, such as Pictures, in the user’s profile.

4. Select Give Access To Specific People, as shown in Figure 2-23.

   

5. In the Choose People To Share With dialog box, type a user or group and click Add.

6. Set Permission Level to Read or Read/Write and click Share.

7. Note that you are sharing. The File Sharing Wizard completes, and the files are shared.

8. Optionally, you can use the links in the File Sharing Wizard to send someone the links to the shares.

9. Click Done.

You can also share a file using the Share icon on the Share ribbon bar. Select the file or multiple files and then click Share on the ribbon bar, as shown in Figure 2-24.

The Share option is also available within other apps including Microsoft Edge. The set of targets, including contacts and other apps will depend on which apps are installed on your device and offer a simplified method of sharing files quickly and with minimum effort.

Configure shared folders permissions

Permissions that are set on the share determine the level of access a user has to the files in the share. They can be set on FAT or later file systems. When you use the NTFS file system, be careful not to restrict access at the share level, because this might affect the effective permissions. You can configure the permissions when you share a folder and set a level that the user or group will have when they connect to the folder through the share across the network.

Sharing permissions have three options:

• Read Users and groups can view the files, but they cannot modify or delete them.

• Change Users and groups can open, modify, delete, and create content, but they cannot modify file or folder permissions; the Change permission incorporates all Read permissions.

• Full Users and groups can perform all actions, including modifying the permissions; the Full permission incorporates all Change permissions.

Unlike in earlier versions of Windows, there is no longer a visual icon or indicator in File Explorer to distinguish whether a folder is shared. All shared folders on your device appear in the Shared Folders node of the Computer Management console. You can also view the shared folders that exist on your device by using the Get-SmbShare Windows PowerShell cmdlet or by typing net view \localhost /all at the command prompt.

After a user has found the share in File Explorer, they can access the files directly. Another common way that users can connect to a shared folder over the network is by using the shares Universal Naming Convention (UNC) address. UNC addresses contain two backward slashes (\) followed by the name of the computer that is sharing the folder and the shared folder name; for example, the UNC name for the Marketing shared folder on the LON-DC1 computer in the Fabrikam.com domain would be:

Click here to view code image

\LON-CL1.Fabrikam.comMarketing

Troubleshoot Share Permission Issues

Share permissions can cause many problems when troubleshooting access to files and folders. You need to remember that Share permissions work together with NTFS permissions and that the most restrictive permission will apply. Another common cause of confusion is that Share permissions only affect shared resources over the network.

If your file system is configured with FAT or FAT32, there is no option to configure NTFS permissions. If no Security tab is available in the resource Properties dialog box, we know that it cannot be formatted with NTFS, and the file system is likely to be FAT/FAT32, as shown in Figure 2-25.

If you need to confirm the file system in use, you can view the properties of the drive by following these steps:

1. Open File Explorer and right-click the drive that is under review.

2. Select Properties.

3. On the General tab, view the File System.

4. Click OK to close the dialog box.

Understanding the registry structure

The registry is a database that is split into multiple separate files known as hives, together with associated log and other support files.

You can find the registry files located in the %systemroot%System32Config though you will need to be an administrator to access this folder. Within this system folder, you should find several binary format “files” that the registry uses:

• SAM (Security Accounts Manager used to store local passwords)

• SECURITY

• SOFTWARE

• SYSTEM

• DEFAULT

• USERDIFF (used only for Windows upgrades)

In addition to the system files the user-specific settings are stored within the user profile and are loaded into system memory when a user signs in. These registry files are located in the following locations:

• %userprofile% tuser.dat

• %userprofile%AppDataLocalMicrosoftWindowsUsrClass.dat

Other notable registry files include the Boot Configuration Data (BCD) store which stores its own file on the boot drive. The local services are located in %SystemRoot% ServiceProfilesLocalService and network services are stored in %SystemRoot%ServiceProfilesNetworkService.

The vast majority of changes to the hive files are made automatically by Windows whenever you install an application, or change a setting or configuration by using the Settings app or Control Panel.

The main hives, or subtrees which store settings for Windows 10 are shown in Table 2-13.

Table 2-13 Registry Hives

Should you need to make a manual change, create a new entry, or modify an existing registry entry, these will typically take place in the following two hives:

• HKEY_LOCAL_MACHINE

• HKEY_CURRENT_USER

The primary tool for managing and editing the registry is the built-in registry editor.

Within the hives, settings containing values are stored in subtrees, keys and subkeys. The hierarchical nature of the registry makes it easy to locate a registry value. An example of a key, subkeys, and value would be

Click here to view code image

ComputerHKEY_CURRENT_USERControl PanelMouse

This key holds many subkeys, which Windows uses to store settings for the mouse.

The mouse settings can be modified in the registry, as shown in Figure 2-26, or by using the Mouse item within the Control Panel. If you enable mouse pointer trails in the Control Panel, the registry subkey for MouseTrails is modified to have a value of 7.

Values are stored within each key and subkey that are used to configure the operating system. There are several value types which are used to store information such as numerical data, text, and variables such as file paths. Often a value is empty or not defined as shown in the (Default) subkey in Figure 2-26. Table 2-14 lists more common types of registry values.

Table 2-14 Registry Value Types

Understanding the Registry Editor

The built-in Registry Editor (Regedit.exe) allows you to view, search, and modify the registry’s contents. Some of the common tasks that administrators can perform using the Registry Editor tool include

• Search the registry for a value, value name, subkey, or key

• Create, delete, and modify keys, subkeys, and values

• Import entries into the registry from an external (.REG) file

• Export entries from the registry into an external (.REG) file

• Back up the entire registry

• Manage the HKEY_LOCAL_MACHINE and HKEY_USERS registry hives on a remote computer

You can also import registry keys and values directly into the registry using a text file with the .REG extension.

All .REG files will use the following syntax for Registry Editor to understand them:

Click here to view code image

Windows Registry Editor Version 5.00
[<Hive name><Key name><Subkey name>]
"Value name"=<Value type>:<Value data>

Because .reg files are associated with the registry, executing a .REG file will merge it with—or import it to—the local Windows Registry. The contents of the .REG file will add, delete, or modify one or more keys or values in the registry. Depending on the changes contained within the .REG file, you might need to restart your computer after the changes have been made.

You can also use the import option on the file menu within the Registry Editor to import the settings, or you can use the command line with a script similar to the following example:

Click here to view code image

regedit /s C:\Registry\regsetting.reg > nul

Using PowerShell to manage registry settings

The registry can be accessed directly using Windows PowerShell. The registry provider within PowerShell displays the registry like a file system, displaying the keys and subkeys as subfolders within a registry hive.

Windows PowerShell uses the abbreviated form of the hive nomenclature where the HKEY_LOCAL_MACHINE hive becomes HKLM and HKEY_LOCAL_USER becomes HKLU.

To view the registry using Windows PowerShell, open an elevated Windows PowerShell command prompt and then type the following, pressing Enter after each line.

Get-ChildItem -Path hklm:
Dir

Click here to view code image

You can also obtain a richer output by using this PowerShell command:

Get-Childitem -ErrorAction SilentlyContinue | Format-Table Name, SubKeyCount, ValueCount -AutoSize

To create a new registry key, you can first use the Set-Location cmdlet to change to the appropriate registry subtree and key as shown here:

Set-Location "HKCU:Software"

Alternatively, you can use the full path to the registry key in the cmdlet as follows:

Click here to view code image

New-Item -Path HKCU:Software -Name "Demonstration" –Force

Use the following cmdlet to assign the new registry key a value of “demo”:

Click here to view code image

Set-Item -Path HKCU:SoftwareDemonstration -Value "demo"

To validate that the key value has been stored correctly, view the key in the registry, or type:

Click here to view code image

Get-Item -Path HKCU:SoftwareDemonstration

Configuring a password policy

On a local device, if you want to ensure that all users use secure passwords and that the passwords are changed after a set number of days, you can configure a password policy as follows:

1. Log onto Windows 10 with administrative privileges.

2. Click Start and search for Secpol.msc.

3. Click the Secpol.msc link to open the Local Security Policy Editor.

4. Expand Account Policies and click Password Policy.

5. Double-click Enforce Password History. You can now enter a value that represents the number of unique new passwords that a user account must have used before an old password can be reused.

6. Enter 5 and click OK to set this policy.

7. Double-click Maximum Password Age. The default setting is 42, which allows a user can use their password over a 42-day period before they are forced to change it. The best practice is to have passwords expire every 30 to 90 days.

8. Enter 90 and click OK.

9. Double-click Minimum Password Age. The default setting is 0 days, which allows users to change their passwords whenever they like. A setting of 14 days prevents users from changing their password in rapid succession to bypass the password history setting.

10. Enter 14 and click OK.

11. Double-click Minimum Password Length. The default is set to 0 characters. A setting of 8 would require that a password must be at least 8 characters long.

12. Enter 8 and click OK.

13. Double-click Password Must Meet Complexity Requirements. This setting is disabled by default. Once set to enabled, all passwords need to be complex.

14. Double-click Store Passwords Using Reversible Encryption. The default is disabled. If you enable this policy, all passwords are stored in a way that all applications are able access the password, which also makes them vulnerable to hackers to access.

15. Close the Local Security Policy editor.

The changes relating to local passwords become effective immediately once the policy is configured. Users with existing passwords can continue to use them until they need to be changed. The next time a user changes his or her password, the new password will need to conform with the settings in the Password Policy.

Configuring an account lockout policy

When you implement a strong password policy, it is recommended that you also configure account lockout policy, which helps to protect accounts from password-cracking tools, which can attempt thousands of different passwords every hour in the hope that they succeed. Within a local environment, even an employee can try to guess a password to gain access to a system.

This brute-force attack on a system cannot be prevented. However, you can implement measures within the Account Lockout Policy that monitor incorrect attempts to log in to a local device. If a brute-force attack is suspected (for example, five incorrect passwords are entered in quick succession), then the account can be locked for a period of time.

To define that lockout policy, use the following steps:

1. Log onto Windows 10 with administrative privileges.

2. Click Start and search for Secpol.msc.

3. Click the Secpol.msc link to open the Local Security Policy Editor.

4. Expand Account Policies and click Account Lockout Policy.

5. Double-click Account Lockout Threshold, enter 3, and click OK.

6. When the Account Lockout Threshold has been set, Windows suggests two other settings:

   • Account Lockout Duration This setting specifies how long, in minutes, the user account will remain locked once the threshold has been reached.

   • Reset Account Lockout Counter After This setting specifies how long, in minutes, before the count of incorrect passwords entered is set back to zero.

7. Leave these settings as recommended and click OK.

Configuring local policy

Local policies are used to control users once they have logged on and gained access to a system. You can configure policies that implement auditing, specify user rights, and set security options.

Audit Policy

Audit policies are used to track specified user actions on a device. These actions are recorded as a success or failure, such as accessing a file or being blocked from printing a document. Auditing is costly because system resources are required to constantly monitor a system and record actions to the audit logs. Audit settings can generate many log items, and this may impede a computer’s performance. Therefore, you should use auditing on selective actions and turn off the feature when it is no longer required.

Auditing allows you to create a history of specific tasks and actions, such as file access (Audit Object Access policy), user account deletion (Audit Account Management) or successful logon attempts (Audit Account Logon Events). Often, auditing is used to identify security violations that arise; security violations could include, for example, when users attempt to access system management tasks or files within File Explorer for which they do not have permission. In this example, failed attempts to access resources will be logged in the audit log, with details of the user account, time, and details of the resources for which access was denied because of insufficient privileges.

Configuring audit policy involves three components:

• Enable auditing within Local Policies for success or failure (or both) for specific events or actions.

• For object access, such as file system files and folders, enable auditing on the objects to be audited.

• Use Event Viewer to view the results of the audit in the security log.

To view the various settings that can be configured using audit policy, view the audit policy options in Table 2-15.

Table 2-15 Audit policy options

To configure an audit policy to monitor account logon events, use these steps:

1. Log onto Windows 10 with administrative privileges.

2. Click Start and search for Secpol.msc.

3. Click the Secpol.msc link to open the Local Security Policy Editor.

4. Expand Local Policies and click Audit Policy.

5. Double click the Audit Account Logon Events policy and check the Success and Failure boxes.

6. Click OK.

7. Log off the device and attempt to log back on as an Administrator, but use an incorrect password. Allow the logon to fail.

8. Log on as an administrator using the correct password.

9. Click Start and search for Event Viewer.

10. Click the Event Viewer app to open the Event Viewer.

11. Expand Windows Logs and select the Security log.

12. You should see the audited events listed with an Event ID of 4776 and a Task Category of Credential Validation, as shown in Figure 2-28.

    

User Rights Assignment

The user rights policies are used to determine what rights a user or group of users have on a device. Often, there is confusion between rights and permissions, and you should be clear that user rights, or privileges, apply to the system and relate to activities or tasks that the user can perform.

Some of the activities that you can grant to a user include:

• Add Workstations To Domain

• Allow Log On Locally

• Allow Log On Through Remote Desktop Services

• Back Up Files And Directories

• Change The System Time

• Deny Log On Locally

• Shut Down The System

• Take Ownership Of Files Or Other Objects

To configure a user to have the right to perform a backup of a device, use the following steps:

1. Log onto Windows 10 with administrative privileges.

2. Click Start and search for Secpol.msc.

3. Click the Secpol.msc link to open the Local Security Policy Editor.

4. Expand Local Policies and click User Rights Assignment.

5. Double-click the user right Back Up Files And Directories.

6. Click the Add User Or Group button. The Select Users Or Groups dialog box appears.

7. Type the name of the user or group to which you want to grant the right or click the Advanced button and then select Find Now. Select the user or group of users within the list.

8. Click OK.

9. Click OK in the Select Users Or Groups dialog box.

10. In the Back Up Files And Directories Properties dialog box, click OK.

Remember, a right authorizes a user to perform specific actions on a device, such as logging on to a computer interactively or backing up files and directories on a system. Before leaving this section, you should review the list of user rights policies, which can be found within the User Rights Assignment node of the Local Policies.

Security Options

The Security Options section of the local policies includes many options, which are used to allow or restrict activities on the device.

Some of the activities that you can configure with Security Options include:

• Accounts Block Microsoft Accounts

• Interactive Logon Do Not Require CTRL+ALT+DEL

• Interactive Logon Don’t Display Username At Sign-In

• User Account Control Admin Approval Mode For Built-In Administrator Account

Nearly all the several dozen settings have their default settings set to Not Defined. Once configured, a setting can be have the following statuses:

• Enabled or Disabled

• Text entry (For example, a user account name, or a system path.)

• Value (For example, the number of previous logons to cache for when a domain controller is not available.)

One area of the Security Options that you should pay attention to are the User Account Control (UAC) settings. We will cover UAC in detail in the next skill, but you should note that you can configure UAC using policy settings in this area of Local Policy.

Troubleshooting Tools

You can use many tools to investigate GPO-related issues, including the Resultant Set of Policy (RSoP.msc) tool within the GUI and Group Policy Result (GPResult) from the command line.

Standard users

Except for administrators, all users are standard users with few privileges and limited ability to make changes to the system, such as installing software or modifying the date and time. Standard user accounts are described as “operating with least privilege.” The list of system tasks that a standard user can perform include:

• Change the desktop background and modify display settings

• View firewall settings

• Change the time zone

• Add a printer

• Change their own user account password

• Configure accessibility options

• Configure power options

• Connect to a wireless or LAN connection

• Install drivers, either from Windows Update or those that are supplied with Windows 10

• Install updates by using Windows Update

• Use Remote Desktop to connect to another computer

• Pair and configure a Bluetooth device with the device

• Perform other troubleshooting, network diagnostic, and repair tasks

• Play CD/DVD media

• Restore own files from File History

• View most settings, although the elevated permissions will be required when attempting to change Windows settings

UAC prevents you from making unauthorized or hidden (possibly malware-initiated) changes to your system that require administrator-level permissions. A UAC elevation prompt is displayed to notify you, as follows:

• Prompt For Consent This is displayed to administrators in Admin Approval Mode whenever an administrative task is requested. Click Yes to continue if you consent.

• Prompt For Credentials This is displayed if you are a standard user attempting to perform an administrative task. An administrator needs to enter her password into the UAC prompt to continue.

When an administrator provides permissions to a standard user via a UAC prompt, the permissions are only temporarily operative, and the permissions are returned to a standard user level once the isolated task has finished.

Standard users can become frustrated when they are presented with the UAC prompt, and Microsoft has reduced the frequency and necessity for elevation. Following are some common scenarios wherein a standard user would be prompted by UAC to provide administrative privileges. You will see that they are not necessarily daily tasks for most users:

• Add or remove a user account

• Browse to another user’s directory

• Change user account types

• Change Windows Defender Firewall settings

• Configure Windows Update settings

• Install a driver for a device not included in Windows or Windows Update

• Install ActiveX controls

• Install or uninstall applications

• Modify UAC settings

• Move or copy files to the Program Files or Windows folders

• Restore system backup files

• Schedule Automated Tasks

Administrative users

Administrative users need to be limited to authorized personnel within the organization. In addition to the ability to perform all tasks that a standard user can perform, they also have the following far-reaching permissions:

• Read/Write/Change permissions for all resources

• All Windows permissions

From this, it looks like administrators have considerable power, which can potentially be hijacked by malware. Thankfully, by default, administrators are still challenged with the UAC prompt, which pops up when they perform a task that requires administrative permissions. However, they are not required to re-enter their administrative credentials. This is known as Admin Approval Mode.

A user who signs on to a system with administrative permissions will be granted two tokens:

• The first token enables him or her to operate as a standard user.

• The second token can be used when the administrator performs a task that requires administrative permissions.

Just as with the standard user, after the task is completed using elevated status, the account reverts to a standard-user privilege.

Types of elevation prompts

UAC has four types of dialog boxes, as shown in Table 2-16. The Description column explains how users need to respond to the prompt.

Table 2-16 UAC elevation prompts

Within large organizations, nearly all users will be configured to sign in to their computer with a standard user account. On a managed system that has been provisioned and deployed by the IT department, standard user accounts should have little need to contact the help desk regarding UAC issues. They can browse the Internet, send email, and use applications without an administrator account. Home users and small businesses that lack a centralized IT resource to provision and manage their devices are often found to use administrative user accounts.

As with previous versions of Windows, an administrator can determine when the UAC feature will notify you if changes are attempted on your computer.

To configure UAC, use the following procedure.

1. Log onto Windows 10 with administrative privileges.

2. Click Start and type UAC.

3. Click Change User Account Control Settings to be shown the User Account Control Settings screen where you can adjust the UAC settings, as shown in Figure 2-32.

   

You need to review the information on this dialog box by moving the slider to each position in order to determine how the UAC feature will behave with each setting. The default is Notify Me Only When Applications Try To Make Changes To My Computer.

Table 2-17 shows the four settings that enable customization of the elevation prompt experience.

Table 2-17 User Account Control Settings

The settings enable changes to the UAC prompting behavior only, and do not elevate the status of the underlying user account.

In addition to the UAC settings within the GUI, there are many more UAC security settings that can be configured via Group Policy. These can be found here: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

Secure Desktop

When UAC prompts the user for consent or elevated credentials, it first switches to a feature called Secure Desktop, which focuses only on the UAC prompt. In addition, Secure Desktop prevents other applications (including malware) from interacting with the user or influencing the user response to the UAC prompt.

While it is possible for malware to generate a screen that imitates the look of Secure Desktop (and even re-create the visual UAC prompt), it is not possible for malware to actually provide UAC with the correct credentials. If a system was infected with malware, it could try to bypass the UAC security setting—using a bogus credential prompt to harvest usernames and passwords from unsuspecting users—and then use these credentials on genuine UAC prompts. Therefore, it is important that administrators are vigilant against potential malware attacks, and all devices are set to ensure that their malware protection is configured to automatically update.

Configure Firewall and Network Protection

Within the Windows Security app is the Firewall and Network Protection page. This page provides a unified interface for accessing firewall and network protection features, and consolidates several firewall-related components that are found within the Windows Defender Firewall in the Control Panel.

To access the Firewall and Network Protection page as shown in Figure 2-33, open Windows Security, and on the Home tab, click Firewall & Network Protection.

On the Firewall & network protection page, you can view the current Windows Defender Firewall status and access links to enable you to configure firewall behavior. Much of the functionality is duplicated between the Firewall & Network Protection page and Windows Defender Firewall. You can choose to perform the configuration and monitoring task outlined in this chapter using either tool. Eventually, the Windows Defender Firewall located within the Control Panel will be deprecated.

Configure Windows Defender Firewall

Windows Defender Firewall is a software-based firewall built into Windows 10 that creates a virtual barrier between a computer and the network to which it is connected. Windows Defender Firewall protects the computer from unwanted incoming traffic and protects the network from unwanted outgoing traffic.

To access the Windows Defender Firewall, click Start, type Firewall, and then click Windows Defender Firewall.

A firewall allows specific types of data to enter and exit the computer while blocking other data; settings are configured by default (but they can be changed). This type of protection is called filtering. The filters are generally based on IP addresses, ports, and protocols. A description for each filter type includes:

• IP addresses are assigned to every computer and network resource connected directly to the network. The firewall can block or allow traffic based on an IP address of a resource (or a scope of addresses).

• Port numbers identify the application that is running on the computer. For example

  • Port 21 is associated with the File Transfer Protocol (FTP).

  • Port 25 is associated with Simple Mail Transfer Protocol (SMTP).

  • Port 53 is associated with DNS.

  • Port 80 is associated with Hypertext Transfer Protocol (HTTP).

  • Port 443 is associated with HTTPS (HTTP Secure).

• Protocols are used to define the type of packet being sent or received. Common protocols are TCP, Telnet, FTP, HTTP, Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), HTTPS, and User Datagram Protocol (UDP). (You should be familiar with the most common protocols before taking the exam.)

Although there are many rules already configured for the firewall, you can create your own inbound and outbound rules based on ports, protocols, programs, and more to configure the firewall to suit your exact needs.

Monitor the Windows Defender Firewall

You can monitor the state of the Windows Defender Firewall from either the Firewall & Network Protection area or the Windows Defender Firewall. It’s easy to tell from here if the firewall is on or off and which is the active network.

To make basic changes to the state of the firewall within the Firewall & Network Protection area, select the network and choose to turn the Windows Defender Firewall on or off. On the left pane of Windows Defender Firewall, click Turn Windows Defender Firewall On Or Off. From there, you can change settings for both private and public networks. There are two options for each:

• Turn On Windows Defender Firewall (selected by default)

  • Block All Incoming Connections, Including Those In The List Of Allowed Apps

  • Notify Me When Windows Defender Firewall Blocks A New App (selected by default)

• Turn Off Windows Defender Firewall (not recommended)

You can also use the links on the page to allow an app or feature through the firewall and the links to the advanced settings options.

Allow an app through the Windows Defender Firewall

Some data generated with and by specific apps is already allowed to pass through the Windows Defender Firewall. You can see the list of which apps are allowed by clicking Allow An App Or Feature Through Windows Defender Firewall in the left pane of the Windows Defender Firewall window in Control Panel. As you scroll through the list, you’ll see many apps (some you recognize and some you don’t), including Candy Crush Saga, Cortana, Groove Music, and of course, Microsoft Edge.

You can modify which firewall profile apps can use by clicking the Change Settings button and providing administrator approval to the UAC prompt. The list will be editable. You will notice from the list that not all apps listed are enabled by default, including Windows Media Player Netlogon Service, Windows Remote Management, and Remote Shutdown. The list of apps and settings may vary depending upon your existing configurations.

If you don’t see the app you want to allow or block, click Allow Another App. You can then browse to the app executable and select the app from the list of applications in the Add An App dialog box, as shown Figure 2-34. You can configure the app to allow or stop it from communicating through the appropriate network profile by selecting the network type option in the dialog box. For existing apps, you can choose the network profile within the Allow An App Or Feature Through Windows Defender Firewall dialog box. There are two checkbox options for each app: Private and Public.

You can also configure Windows Defender Firewall by using either the command line tool Netsh.exe or by using Windows PowerShell. For example, to configure an app exception in Windows Defender Firewall with Netsh.exe, run the following command.

Click here to view code image

netsh firewall add allowedprogram C:Program Files (x86)MyAppMyApp.exe "My Application" ENABLE

There are a significant number of Windows PowerShell cmdlets that you can use to configure and control Windows Defender Firewall. For example, to allow a new app through the firewall, you can use the following command.

Click here to view code image

New-NetFirewallRule -DisplayName "Allow MyApp" -Direction Inbound -Program "C:Program
Files (x86)MyAppMyApp.exe" -RemoteAddress LocalSubnet -Action Allow

Configure Windows Defender Firewall with Advanced Security

Although you can configure a few options in the main Windows Defender Firewall window, you can perform more advanced firewall configurations by using the Windows Defender Firewall With Advanced Security management console snap-in, as shown in Figure 2-35. To access the snap-in, from Windows Defender Firewall, click the Advanced Settings link on the Firewall & Network Protection page within Windows Security or from the Windows Defender Firewall.

The Windows Defender Firewall With Advanced Security configuration is presented differently. Traffic flow is controlled by rules, and there is a Monitoring node for viewing the current status and behavior of configured rules.

Once opened, there are several options and terms with which you need to be familiar.

• In the left pane, your selection determines which items appear in the middle and right panes.

  • Inbound Rules Lists all configured inbound rules and enables you to double-click any item in the list and reconfigure it as desired. Some app rules are predefined and can’t be modified, although they can be disabled. Explore the other nodes as time allows. You can also right-click Inbound Rules in the left pane and create your own custom rule. Rule types include Program, Port, Predefined, and Custom. They are detailed later in this section.

  • Outbound Rules Offers the same options as Inbound Rules, but these apply to outgoing data. You can also right-click Outbound Rules in the left pane and create your own custom rule.

• Connection Security Rules Connection security rules establish how computers must authenticate before any data can be sent. IP Security (IPsec) standards define how data is secured while it is in transit over a TCP/IP network, and you can require a connection to use this type of authentication before computers can send data. You’ll learn more about connection security rules in the next section.

  • Monitoring Offers information about the active firewall status, state, and general settings for both the private and public profile types.

• In the right pane, you’ll see the options that correspond to your selection in the left pane.

  • Import/Export/Restore/Diagnose/Repair Policies Enables you to manage the settings you’ve configured for your firewall. Polices use the WFW extension.

  • New Rules Enables you to start the applicable Rule Wizard to create a new rule. You can also do this from the Action menu.

  • Filter By Enables you to filter rules by Domain Profile, Private Profile, or Public Profile. You can also filter by state: Enabled or Disabled. Use this to narrow the rules listed to only those you want to view.

  • View Enables you to customize how and what you view in the middle pane of the Windows Defender Firewall With Advanced Security window.

When you opt to create your own inbound or outbound rule, you can choose from four rule types. A wizard walks you through the process, and the process changes depending on the type of rule you want to create. The rules are as follows:

• Program A program rule sets firewall behavior for a specific program you choose or for all programs that match the rule properties you set. You can’t control apps, but you can configure traditional EXE. Once you’ve selected the program for which to create the rule, you can allow the connection, allow the connection only if the connection is secure and has been authenticated using IPsec, or block the connection. You can also choose the profiles to which the rule will be applied (domain, private, or public) and name the rule.

• Port A port rule sets firewall behavior for TCP and UDP port types and specifies which ports are allowed or blocked. You can apply the rule to all ports or only ports you specify. As with other rules, you can allow the connection, allow the connection only if the connection is secured with IPsec, or block the connection. You can also choose the profiles to which the rule will be applied (domain, private, public) and name the rule.

• Predefined This sets firewall behavior for a program or service that you select from a list of rules that are already defined by Windows.

• Custom This is a rule you create from scratch, defining every aspect of the rule. Use this if the first three rule types don’t offer the kind of rule you need.

With Windows Defender Firewall With Advanced Security selected in the left pane and using the Overview section of the middle pane, click the Windows Defender Firewall Properties link to see the dialog box shown in Figure 2-36. From here, you can make changes to the firewall and the profiles, even if you aren’t connected to the type of network you want to configure.

In Figure 2-36, the Domain Profile tab is selected. If you want, you can configure the firewall to be turned off when connected to a domain network. Additionally, you can strengthen the settings for the Public Profile and customize settings for the Private Profile. Finally, you can customize IPsec defaults, exemptions, and tunnel authorization on the IPsec Settings tab. Make sure to explore all areas of this dialog box and research any terms with which you are not familiar.

Configure connection security rules with IPsec

By default, Windows 10 does not always encrypt or authenticate communications between computers (there are exceptions). However, you can use Windows Defender Firewall With Advanced Security connection security rules to apply authentication and encryption to network traffic in your organization.

You can use IPsec network data encryption to ensure confidentiality, integrity, and authentication in data transport across channels that are not secure. Though its original purpose was to secure traffic across public networks, many organizations have chosen to implement IPsec to address perceived weaknesses in their own private networks that might be susceptible to exploitation.

If you implement IPsec properly, it provides a private channel for sending and exchanging potentially sensitive or vulnerable data, whether it is email, FTP traffic, news feeds, partner and supply-chain data, medical records, or any other type of TCP/IP-based data. IPsec provides the following functionality:

• Offers mutual authentication before and during communications

• Forces both parties to identify themselves during the communication process

• Enables confidentiality through IP traffic encryption and digital-packet authentication

Connection security rules are used to force authentication between two peer computers before they can establish a connection and transmit secure information. To secure traffic with IPsec using a connection security rule, you must allow the traffic through the firewall by creating a firewall rule. Connection security rules do not apply to programs and services. Instead, they apply only between the computers that are the two endpoints.

Windows Defender Firewall with Advanced Security uses IPsec to enforce the following configurable rules:

• Isolation An isolation rule isolates computers by restricting connections based on credentials, such as domain membership or health status. Isolation rules allow you to implement an isolation strategy for servers or domains.

• Authentication Exemption You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by a specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway.

• Server-To-Server This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication that you want to use.

• Tunnel This rule allows you to protect connections between gateway computers. It is typically used when you are connecting across the Internet between two security gateways.

• Custom There might be situations in which you cannot configure the authentication rules that you need by using the rules available in the New Connection Security Rule Wizard. However, you can use a custom rule to authenticate connections between two endpoints.

Creating Firewall rules

To create a rule, from within the Windows Defender Firewall With Advanced Security management console, first select the appropriate node and then click New Rule from the Actions pane. You can then complete the wizard to create your rule. As an example, to create a new inbound rule to enable network traffic for a program, perform the following procedure.

1. Click Inbound Rules and then click New Rule in the Action pane.

2. On the Rule Type page, click Program and then click Next.

3. On the Program page, click This Program Path, browse and select the program executable, and then click Next.

4. On the Action page, choose Allow The Connection and click Next.

5. On the Profile page, select which network location profiles are affected by the rule and click Next.

6. Provide a name and description for your rule and click Finish.

In addition to using the Windows Defender Firewall With Advanced Security management console, you can also use the following Windows PowerShell cmdlets to configure and manage firewall settings and rules.

• Get-NetFirewallRule Displays a list of available firewall rules

• Enable-NetFirewallRule Enables an existing firewall rule

• Disable-NetFirewallRule Disables an existing firewall rule

• New-NetFirewallRule Creates a new firewall rule

• Set-NetFirewallRule Configures the properties of an existing firewall rule

Implement Encrypting File System

The built-in Encrypting File System (EFS) is a very powerful method of restricting access to files within a NTFS environment. Although EFS has been available since Windows 2000, very few organizations routinely implement file- and folder-level encryption. Most organizations requiring encryption will choose to use BitLocker Drive Encryption, which encrypts complete drives.

Where EFS is utilized, most issues reported to the help desk relating to EFS often result from an over-enthusiastic member of staff encrypting some of their own files. By default, they have permission to encrypt their own files because they have the Creator Owner special identity.

The best way to ensure that EFS is not inadvertently used, potentially causing problems later, is to implement some or all the following measures:

• Stand-alone computers that are not domain-joined should backup their encryption keys to ensure they can be used for recovery purposes later.

• Explain the (strict) usage criteria of EFS in the staff handbook / policy.

• Train IT staff on the use of EFS and the potential implications of unauthorized usage.

• Plan and document where EFS will be applied and who will apply it.

• Sufficient restrictions placed across the domain to prevent unauthorized use of EFS.

• Implementation of an EFS Data Recovery Agent (DRA) so that if EFS is misused, then an Administrator within the organization can recover any encrypted files.

• Implement employee-leaving procedures and scan for encrypted files to ensure all encrypted files are decrypted or ownership transferred.

• Disable, rather than delete, user accounts for a fixed time period in case the user account needs to be reactivated in order to remove EFS from corporate resources.

It’s necessary to ensure that selected users and members of IT departments appreciate that EFS is an extremely secure method of protecting files and often, this level of protection is not necessary. Only the original file owner who applied the encryption can access the file and remove the encryption.

If an organization does not have a DRA in place, one needs to be created as soon as possible. Doing so will enable subsequent files encrypted with EFS to be decrypted by the DRA, if needed.

The process for creating a DRA certificate in Windows 10 for a device that is not domain joined can be performed using this procedure:

1. Open a PowerShell window, or a command prompt window. (This does not require administrative privilege.)

2. Navigate to the location where you want to store your DRA certificate.

3. Type cipher /r: file name and press Enter.

4. Provide a password to protect the DRA certificate. (This can be null.)

To install the DRA so that a user can use it, follow these steps:

1. Sign in with the user credentials of the user for whom you want to create access to the DRA.

2. In the search box, type secpol.msc and press Enter.

3. In the left pane of Local Security Policy, double-click Public Key Policies, right-click Encrypting File System, and then click Add Data Recovery Agent.

4. In the Add Recovery Agent Wizard, click Next.

5. Browse to the location of the DRA recovery certificate. (It will have a .cer file extension.)

6. Select the certificate, and then click Open.

7. When you are asked if you want to install the certificate, click Yes > Next > Finish.

8. In the right pane of Local Security Policy, scroll across and note that the Intended Purposes for the certificate is File Recovery.

9. Open a Command Prompt window, type gpupdate, and press Enter to update Group Policy.

Once the DRA has been created, all EFS encrypted files can be recovered by the DRA.

The encrypted files that are already encrypted are not automatically updated when a DRA is created. Existing encrypted files cannot be recovered by the DRA unless they are opened and closed by the resource owner, which causes the DRA to update the file. To update all encrypted files on a local drive, you can type cipher.exe /u in an elevated command prompt on the system containing the encrypted files.

Encrypt Files and Folders by Using Encrypting File System

When used with a Data Recovery Agent (DRA), Encrypting File System (EFS) is a very secure method to protect sensitive data by encrypting files and folders. Because EFS was first introduced in Windows 2000, EFS often suffers from being dismissed as being old or obsolete. Many people pass over EFS in favor of BitLocker Drive Encryption or BitLocker To Go. Don’t be fooled, though. EFS offers functionality that BitLocker does not, and despite EFS having been available for many years, it still offers an incredibly secure method of enterprise-grade encryption.

It is important to use EFS and a DRA together. Without a DRA available within your organization, you may never regain access to an EFS-encrypted resource. The DRA will help to recover data if the encryption key is deleted or if the machine has been lost or compromised.

EFS offers encryption at a file and folder level, and it cannot be used to encrypt an entire hard disk. Instead, you would use BitLocker (covered later in this section) to encrypt an entire drive. Users can encrypt any file or folder they have created on an NTFS-formatted hard disk by right-clicking the resource and selecting Properties from the context menu that appears. In the Advanced Attributes dialog box (shown in Figure 2-37) select the option to Encrypt Contents To Secure Data.

Encryption should not be used without prior planning and establishing some safeguards to secure the encryption keys that are used. EFS protects data from unauthorized access, and it is especially effective as a last line of defense from attacks, such as physical theft.

EFS uses Windows Public Key Infrastructure (PKI) and a fast encryption algorithm to protect files. The public and private keys generated during encryption ensure that only the user account that encrypted the file can decrypt it. Encrypted data can be decrypted only if the user’s personal encryption certificate is available, which is generated through the private key. Unless exported by the user, this key cannot be used by anyone else, and EFS prevents any access to the data. EFS will prevent attempts to copy or move encrypted data by anyone except users who have the proper credentials. If the user deletes his account or leaves the company, any encrypted resources will not be accessible, which could lead to data being lost. The only way to prevent data loss is to ensure that a DRA has previously been created, so that an administrator can use the DRA to decrypt the resource.

Here are some key points you need to learn about EFS:

• The process of encryption and decryption happens behind the scenes and is not visible to users.

• Encryption occurs when you close files; decryption occurs when you open them.

• EFS is available only on NTFS volumes.

• EFS keys aren’t assigned to a computer; they are assigned to a specific user.

• If a hacker gains access to the user’s PC while he is signed in, they will be able to access and open EFS-protected files.

• The file owner can move or copy an EFS-protected file.

• You can’t use EFS and compression together. It’s one or the other.

• If the file owner moves an EFS-protected file to a volume that does not support EFS (such as FAT32), the file will be decrypted.

• Encrypted files and folders are no longer colored green in File Explorer; now they include a padlock icon on each file, as shown in Figure 2-38.

• EFS uses Advanced Encryption Standard (AES), which uses a 256-bit key algorithm, which is a very credible industry standard of encryption.

• EFS is only available on Windows 10 Pro, Enterprise, and Education editions.

By default, any user can use EFS to encrypt any file of which they have ownership. Unless company policy requires EFS, you should consider disabling EFS within Group Policy until a DRA is created.

It is very important that a DRA is in place before EFS is enabled. Without a DRA, even an administrator is unable to recover EFS-protected files and folders. For the exam, you need to be able to configure a DRA using the command-line tool Cipher.exe.

Once you have created a DRA, you should update the encryption of each currently encrypted file to have the new DRA applied by using cipher /u. You can continue to encrypt your files and folders within File Explorer using the Encrypt Contents To Secure Data option shown later in Figure 2-38.

Note Dra and Efs: the Sequence is Important

Only encrypted files that are created after the DRA has been created can be recovered using the DRA.

Perform Backup and Recovery of Efs-Protected Files

Built into Windows is a wizard for users who want to use EFS to create a file encryption certificate and key and back up these files. After you first encrypt files or folders, you will see the EFS pop-up notification in the notification area of the desktop asking you to back up your encryption key.

You can use the following steps to start the wizard and complete the process to configure an EFS certificate.

1. Open Control Panel and select User Accounts.

2. Click Manage Your File Encryption Certificates to open the Encrypting File System Wizard.

3. Click Next. The wizard asks for your file encryption certificate; you can select your existing certificate, or you can create a new certificate.

4. Click Create A New Certificate, and then click Next.

5. On the Create A Certificate page, select Make A New Self-Signed Certificate And Store It On My Computer and click Next.

6. Provide a backup location and password and click Next.

7. On the Update Your Previously Encrypted Files page, select All Logical Drives and click Next.

8. On the Your Encrypted Files Have Been Updated page, click Close.

In addition to the Cipher.exe command-line tool, you can also use the Certificates MMC (CertMgr.msc) to manage or back up your personal EFS certificate. You can also import your certificates to a new computer that doesn’t already contain your certificate. In the event of your certificate being lost, perhaps due to a failed computer or corrupted profile, you can import the DRA certificate onto a new computer, which would allow recovery of the encrypted files.

To import your EFS certificate into your personal certificate store via the Certificate Import Wizard, you should follow these steps:

1. Open Certificates MMC, by typing CertMgr.msc into the search box, and then press Enter.

2. Select the Personal folder.

3. Click Action > All Tasks > Import.

4. Work through the Certificate Import Wizard to import the .pfx certificate.

Need More Review? Cipher.Exe

For more information about Cipher.exe, refer to https://docs.microsoft.com/windows-server/administration/windows-commands/cipher.

Some of the most common parameters used with the Cipher.exe command include:

• /c Displays information about an encrypted file

• /d Decrypts specified files and directories

• /s:<directory> Performs the specified operation on all subdirectories in the specified directory

• /u Updates all encrypted files on the local drives (useful if you need to update previously encrypted files with a new recovery certificate)

• /u /n Finds all encrypted files on a local drive

• /? Displays help

• /x Backs up the EFS certificate and keys to the specified file name

• /r:<FileName> Generates an EFS recovery agent key and certificate, based on the user account, then writes them to a .pfx file (Personal Information Exchange file, which contains a certificate and private key) and a .cer file (Security Certificate file, which contains only the certificate)

After you have encrypted your first file or folder, Windows 10 will prompt you to make a backup of the EFS certificate and key, as shown in Figure 2-38. This reminder will appear in the notification area and it will re-appear on a regular basis until you back up the EFS certificate and key or choose to Never Back Up the files. You need to ensure you do take a backup and store this safely in a separate location from that of the files.

Understand Bitlocker Key Protectors

BitLocker offers users several protection options. Administrators can choose which type of protection users should adopt to unlock a BitLocker-encrypted drive. BitLocker supports multifactor authentication for operating system drives, allowing you to require additional authentication, such as adding a smart card or a USB drive with a startup key on it or requiring a PIN on start up. These are called key protectors.

BitLocker offers multiple key protectors that can be used to unlock a protected system. These are as follows:

• TPM + startup PIN + startup key This is the most secure combination. The encryption key is stored on the TPM chip. The user might find this option cumbersome because it requires multiple authentication tasks.

• TPM + startup key The encryption key is stored on the TPM chip. The user needs to insert a USB flash drive that contains a startup key.

• TPM + startup PIN The encryption key is stored on the TPM chip. The user needs to enter a PIN to unlock the device.

• Startup key only The user needs to insert a USB flash drive with the startup key on it. The device doesn’t need to have a TPM chip. The BIOS must support access to the USB flash drive before the operating system loads.

• TPM only The encryption key is stored on the TPM chip, and no user action is required.

With all the BitLocker authentication methods, the drive is encrypted until unlocked. When the BitLocker encrypted drive is in recovery mode, you can also unlock the drive by using either the recovery password or recovery key.

• Recovery password This is a 48-digit number typed on a regular keyboard, or by using the function keys (F1–F10) to input the numbers.

• Recovery key This is an encryption key created when BitLocker is first employed and is used for recovering data encrypted on a BitLocker volume. Often, the encryption key is stored on removable media.

Because the TPM chip together with BitLocker protects the hard drive, administrators can also configure BitLocker to operate without additional unlock steps; provided the device (and TPM) recognize the drive, then it will be unlocked.

With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted, simply removing the drive from the PC, and attaching it as a slave to another PC allows the data to be read, which bypasses all NTFS security.

Enable Bitlocker Without a Tpm

By default, a modern Windows device such as a Surface Pro will contain a TPM, and BitLocker Drive Encryption will be already enabled when shipped. When the user signs onto the device for the first time with a Microsoft account, the recovery key is saved to their Microsoft account.

If a TPM isn’t found, click Cancel on the BitLocker Drive Encryption, and follow the displayed instructions to configure the Require Additional Authentication At Startup GPO located in Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives. Enable this GPO and select the Allow BitLocker Without A Compatible TPM check box, as shown in Figure 2-39.

A new GPO is included with Windows 10 and can be found at Computer ConfigurationPolicies Administrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesConfigure Pre-boot Recovery Message And URL. This GPO enables administrators to configure a custom recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. This allows administrators to provide information to the user, such as help desk support contact information.

Configure Bitlocker

To use BitLocker to encrypt the operating system drive on a supported Windows 10 device, the drive must be formatted as NTFS. Perform these steps to encrypt the drive using BitLocker:

1. Launch Control Panel, click System and Security, and then click BitLocker Drive Encryption.

2. Select the operating system drive and click Turn On BitLocker. (If you receive an error that the device can use a TPM chip, either enable the TPM within the BIOS or Unified Extensible Firmware Interface (UEFI) settings or enable the Require Additional Authentication At Startup Group Policy setting, which is referred to earlier in this section.)

3. On the BitLocker Drive Encryption Setup page, click Next.

4. On the Preparing Your Drive for BitLocker page, if prompted, click Next. (If your system has a Windows Recovery Environment, this will need to be manually enabled and moved to the system drive after the drive is encrypted.)

5. If you are presented a warning message regarding the Windows Recovery Environment, click Next.

6. Choose how to unlock your drive at startup. (Enter A Password is used in this example.)

7. Enter the password, re-enter to confirm and then click Next.

8. On the How Do You Want To Back Up Your Recovery Key page, select one of the options, then click Next and back up your key. (Optionally, you can choose to back up the key in a secondary location.)

9. On the Choose How Much Of Your Drive To Encrypt page, select to encrypt either the used disk space or the entire drive and click Next.

10. On the Choose Which Encryption Mode To Use page, select either the newest encryption mode or the compatible mode and click Next.

11. On the Are You Ready To Encrypt This Drive page, chose to allow the option BitLocker system check to take place (default), or deselect the option and then click Continue.

12. Restart the PC, enter the BitLocker password and allow the drive to be encrypted in the background.

13. In the taskbar notification area, there should be an icon indicating that BitLocker Drive Encryption is in progress.

From within the BitLocker Drive Encryption page in the Control Panel, you can review the BitLocker status and perform additional tasks, including suspending protection, backing up your recovery key, changing the BitLocker password, removing the password, and turning off BitLocker.

Configure Bitlocker Using Command-Line Tools

Administrators can also manage BitLocker Drive Encryption using the command-line tool Manage-bde.exe or by using the Command Prompt, PowerShell, and WMI. Managing recovery keys is discussed later.

There are many parameters that can be used with Manage-bde to manage BitLocker, as listed in Table 2-18.

Table 2-18 Manage-bde command line tool parameters

Windows 10 offers built-in support for BitLocker PowerShell cmdlets, as listed in Table 2-19. You can also use Get-help <BitLocker cmdlet>, such as Get-Help Enable-BitLocker -examples.

Table 2-19 BitLocker PowerShell cmdlets

Using PowerShell, you can obtain very detailed information from systems, including status, key protectors used, encryption method, and type. If you run the Get-BitLockerVolume | format-list cmdlet to provide information about an encrypted drive without first unlocking the drive, the amount of information obtained will be restricted.

Upgrade a Bitlocker-Enabled Computer

BitLocker is designed to protect your computer from pre-boot changes, such as updating the BIOS or UEFI. If you upgrade your computer, for example, with a BIOS firmware upgrade, this can cause the TPM to perceive it is under attack. In order to prevent Windows 10 from entering BitLocker recovery mode, it’s recommended that some precautions are taken while upgrading a BitLocker-enabled computer. Prior to updating the BIOS, you should carry out the following steps:

1. Temporarily suspend BitLocker by opening the BitLocker Drive Encryption in Control Panel and selecting Suspend Protection on the operating system drive, which places it in disabled mode.

2. Upgrade the system or the BIOS.

3. BitLocker protection will be automatically turned back on following a reboot, but if this default behavior has been modified, you should turn BitLocker on again by opening BitLocker Drive Encryption in Control Panel and select Resume Protection on the operating system drive.

Forcing BitLocker into disabled mode keeps the data encrypted, with the volume master key encrypted with a clear key. The availability of this unencrypted key disables the data protection that BitLocker offers, but it ensures that the subsequent computer startup will succeed without further user input. After the BIOS upgrade, BitLocker is re-enabled so that the unencrypted key is erased from the disk and BitLocker protection is functional again. The encryption key will be resealed with the new key that has been regenerated to incorporate new values of the measured components that may have changed during the system upgrade.

Move a Bitlocker-Encrypted Drive to Another Computer

Moving a BitLocker-encrypted drive to another BitLocker-enabled computer requires that you turn off BitLocker temporarily (by using the Suspend Protection option). After the move is complete, you need to re-enable BitLocker, which will then resume BitLocker protection.

The PowerShell command for suspending BitLocker encryption on the system drive is:

Click here to view code image

Suspend-BitLocker -MountPoint "C:"

Sometimes a system change can cause the BitLocker system integrity check on the operating system drive to fail. This prevents the TPM from releasing the BitLocker key to decrypt the protected operating system drive and requires the user to enter recovery mode. Examples of system changes that can result in a BitLocker system integrity check failure include:

• Moving the BitLocker-protected drive to a new computer

• Installing a new motherboard with a new TPM

• Turning off, disabling, or clearing the TPM

• Making changes to any boot configuration settings

• Making changes to the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data

When Windows 10 upgrades itself from one version to another, such as 1803 to 1809, there should be no issues with BitLocker because the system will automatically perform the suspend and resume actions during the process.

Configure Startup Key Storage and Recovery Options

You know that without access to the encryption key contained in the TPM or stored in the startup key, you are unable to unlock a BitLocker-encrypted drive.

You should ensure that you’re familiar with BitLocker-related terminology:

• Recovery password and recovery key When you first configure BitLocker, it will create a recovery key and prompt you to store it safely. You’ll need to provide this recovery key if the TPM is unable to validate that the drive hasn’t been tampered with or if the startup key, password, or PIN have not been supplied during boot time.

• Password A password or passphrase is created to protect fixed, removable, and operating system drives with or without a TPM. The password length can be set in Group Policy and can consist of eight to 255 characters.

• PIN When you use a TPM, you can configure BitLocker with a PIN that the user must type during the initial startup of the device to allow Windows 10 to start. The PIN can consist of between 4 to 20 digits, and the length can be set in the Configure Minimum PIN Length For Startup Group Policy setting.

• Enhanced PIN This enables administrators to force the use of a complex PIN, just like a password or passphrase (including spaces), by configuring the Allow Enhanced PINs For Startup GPO setting. This policy is applied when you turn on BitLocker and is configurable only for operating system drives.

• Startup key This is stored on a USB flash drive and can be used with or without a TPM. To use this method of unlock, the USB flash drive must be inserted every time the computer starts. The USB flash drive can be formatted by using NTFS, FAT, or FAT32.

• TPM Lockout By default, TPM 2.0 will lock the user out for two hours whenever the TPM is under attack. (TPM 1.2 lockout duration varies by manufacturer.)

Configure Bitlocker to Go

A portable version of BitLocker, BitLocker To Go, is aimed at protecting removable USB devices and uses the same technology as BitLocker Drive Encryption, but it does not require use of a TPM. BitLocker To Go can protect flash drives, Secure Digital (SD) cards, and removable hard disks formatted with NTFS, FAT16, FAT32, or exFat file systems. BitLocker To Go is available for users with Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.

To create a BitLocker To Go drive, follow these steps:

1. Insert a removable drive.

2. Open Windows Explorer (though it may open automatically).

3. Right-click the removeable drive and select Turn BitLocker On.

4. After the BitLocker Drive Encryption wizard initializes, choose how to unlock the drive and click Next.

5. On the How Do You Want To Back Up Your Recovery Key? Page, choose an option and then once the password is saved, click Next.

6. On the Choose How Much Of Your Drive To Encrypt page, select to encrypt either the used disk space or the entire drive and click Next.

7. On the Choose Which Encryption Mode To Use page, select either the newest encryption mode or the compatible mode and click Next.

8. On the Are You Ready To Encrypt This Drive page, click Start Encrypting.

9. The encryption process will commence. Once complete, you can close the wizard.

If the option to encrypt the drive is not available, you need to check to ensure you are using a supported version of Windows and that the feature has not been disabled by Group Policy.

Once a removable drive has been encrypted, each time you insert the removable drive into a device, you will need to unlock it with one of the following methods:

• A recovery password or passphrase. (This complexity can be set within Group Policy.)

• A smart card.

• Always auto-unlock this device on this PC.

The last option is very useful for users who frequently use removable drives because it reduces the likelihood of frustration of entering the password every time they use their removable drives. If the removable drive is used on other devices once the user unlocks the removable drive, it can also be configured to auto-unlock if required.

Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. They are also able to change their own password for encrypted drives via BitLocker Drive Encryption in Control Panel. However, if a user loses or forgets the password for the data or removable drive, you need to have access to the BitLocker recovery key to recover the data and unlock the drive.

The following GPOs are available within the BitLocker To Go settings found at Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionRemovable Data Drives:

• Control use of BitLocker on removable drives.

• Configure use of smart cards on removable data drives.

• Deny Write access to removable drives not protected by BitLocker.

• Configure use of hardware-based encryption for removable data drives.

• Enforce drive-encryption type on removable data drives.

• Allow access to BitLocker-protected removable data drives from earlier versions of Windows.

• Configure use of passwords for removable data drives.

• Choose how BitLocker-protected removable data drives can be recovered.

Users of Windows 10 Home cannot encrypt removable data drives, but they can access BitLocker To Go enabled data drives and have read-only access to the data, if they provide the correct recovery password, passphrase, or smart card.

Understand Bitlocker and Bitlocker to go Data Recovery

You need to support users who have devices that will not boot into Windows because of BitLocker-related issues during boot time. There are several situations in which BitLocker will enter into BitLocker recovery mode because of a perceived threat to the system, such as one of the following:

• Repeatedly failing to provide the startup password.

• Changing the startup boot order to boot another drive in advance of the hard drive.

• Changing the NTFS partition table, such as creating, deleting, or resizing a primary partition.

• Entering the PIN incorrectly too many times so that the anti-hammering logic of the TPM is activated.

• Turning off, disabling, deactivating, or clearing the TPM.

• Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.

• Adding or removing hardware (for example, inserting a new motherboard or video card into the computer).

• You can also force a BitLocker-protected device into recovery mode by pressing the F8 or F10 key during the boot process.

When the device has entered the BitLocker recovery mode, you need to recover the drive by using one of these methods:

• Supply the 48-digit recovery password.

• Allow a domain administrator to obtain the recovery password from Active Directory, which may or may not use Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0. MBAM is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance.

• Allow an administrator to obtain the recovery password from Azure Active Directory.

• Run a script to reset the password, using PowerShell or VBScript, which uses the key package.

For standalone and small-business users, the BitLocker recovery key is stored in the user’s Microsoft account at https://onedrive.live.com/recoverykey. You will need to use the keyboard number or function keys to enter the number to unlock the drive. Once the operating system has started, users can then re-create a new startup key; otherwise, the BitLocker recovery mode will remain in place.

For corporate users, there are several settings that can be configured in Group Policy that will define the recovery methods that require Windows to save BitLocker recovery information to Active Directory. The GPOs found in the subfolders of Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption are as follows:

• Choose how BitLocker-protected operating system drives can be recovered

• Choose how BitLocker-protected fixed drives can be recovered

• Choose how BitLocker-protected removable drives can be recovered

For each of these GPOs, you can also enable the Do Not Enable BitLocker Until Recovery Information Is Stored In Active Directory check box to keep users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to Active Directory has succeeded.

Once BitLocker recovery information has been saved in Active Directory, the recovery information can be used to restore access to a BitLocker-protected drive by using the Manage-bde command-line tool introduced earlier.

In an Azure Active Directory environment, you can locate the BitLocker key within the Azure Active Directory Admin Center. Locate the device, and if the Windows 10 machine has been encrypted, you can use the BitLocker recovery key or provide it to the user to recover his or her device.

To view or copy the BitLocker keys within Azure Active Directory, you need to be either the device owner or have one of the following roles assigned.

• Global Administrator

• Helpdesk Administrator

• Security Administrator

• Security Readers

• Intune Service Administrator