Configure local accounts

Local accounts, as the name suggests, exist in the local accounts database on your Windows 10 device; they can only be granted access to local resources and, where granted, exercise administrative rights and privileges on the local computer.

When you first install Windows 10, you are prompted to sign in using a Microsoft account or a Work Account, such as a Microsoft 365 account that is connected to Azure Active Directory. If neither of these options is available or suits your requirements, you can choose an offline account and create a local account to sign in. Thereafter, you can create additional local user accounts as your needs dictate.

Default accounts

In Windows 10, there are three default local user accounts on the computer in the trusted identity store. This is a secure list of users and groups and is stored locally as the Security Accounts Manager (SAM) database in the registry. The three accounts are the Administrator account, the Default Account, and the Guest account.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. When the default administrator account is enabled, it requires a strong password. Another local account called the HelpAssistant account is created and enabled when a Windows Remote Assistance session is run. The HelpAssistant account provides limited access to the computer to the person who provides remote assistance. The HelpAssistant account is automatically deleted if there are no Remote Assistance requests pending.

When you install Windows 10 using a local account, you can create additional user accounts and give these accounts any name that is valid. To be valid, the username

• Must be from 1 to 20 characters

• Must be unique among all the other user and group names stored on the computer

• Cannot contain any of the following characters: / [ ] : ; | = , + ? < > " @

• Cannot consist exclusively of periods or spaces

The initial user account created at installation is a member of the local Administrators group and therefore can perform any local management task on the device. You can view the installed accounts, including the default accounts, by using the Computer Management console, as shown in Figure 2-1. If you cannot find the Local Users And Groups section within Computer Management, then you are probably running Windows 10 Home Edition, which does not have the Local Users And Groups Microsoft Management Console (MMC) snap-in.

You can also use the net user command and the get-wmiobject -class win32_useraccount Windows PowerShell cmdlet to list the local user accounts on a device.

Manage local user accounts

You can manage local user accounts by using Computer Management (except with Windows 10 Home edition), Control Panel, the Settings app, and Windows PowerShell.

Using Computer Management

To manage user accounts by using Computer Management, right-click Start and then select Computer Management. Expand the Local Users and Groups node and then select Users. To create a new user, right-click the Users node and select New User.

In the New User dialog box, configure the following properties, as shown in Figure 2-2, and then select Create.

• User Name

• Full Name

• Password

• User Must Change Password At Next Logon

• User Cannot Change Password

• Password Never Expires

• Account Is Disabled

After you have added the new user account, you can modify more advanced properties by double-clicking the user account. On the General tab, you can change the user’s full name and description and password-related options. On the Member Of tab, you can add the user to groups or remove the user from groups. The Profile tab, shown in Figure 2-3, enables you to modify the following properties:

• Profile Path This is the path to the location of a user’s desktop profile. The profile stores the user’s desktop settings, such as color scheme, desktop wallpaper, and app settings (including the settings stored for the user in the registry). By default, each user who signs in has a profile folder created automatically in the C:UsersUsername folder. You can define another location here, and you can use a Universal Naming Convention (UNC) name in the form of \ServerShareFolder.

• Logon Script This is the name of a logon script that processes each time a user signs in. Typically, this will be a BAT or CMD file. You might include commands that map network drives or load apps in this script file. Assigning logon scripts in this way is not usually done. Instead, Group Policy Objects (GPOs) are used to assign logon and startup scripts for domain user accounts.

• Home Folder This is a personal storage area where users can save their personal documents. By default, users are assigned subfolders within the C:UsersUsername folder for this purpose. However, you can use either of the following two properties to specify an alternate location:

  • Local Path A local filesystem path for storage of the user’s personal files. This is entered in the format of a local drive and folder path.

  • Connect A network location mapped to the specified drive letter. This is entered in the format of a UNC name.

Using The Settings App

The preferred way to manage local accounts in Windows 10 is by using the Settings app. From Settings, select Accounts. As shown in Figure 2-4, on the Your Info tab, you can modify your account settings, including these:

• Sign in with a Microsoft account instead You can sign out and sign in using a Microsoft account.

• Create your picture You can browse for an image or take a selfie if your device has a webcam.

• Creating a Microsoft account You can create a new Microsoft account using this option.

If you need to add a new local user account, select the Family & Other Users section and then select Add Someone Else To This PC.

Windows 10 requires you to then enter that person’s email address, typically the address they use to sign in to Office 365, OneDrive, Skype, Xbox, or Outlook.com.

If you do not have the recipient’s email address, you can still add a local account by using the following procedure:

1. In the Settings app, select Accounts.

2. On the Family & other users tab, under Other users, select Add someone else to this PC.

3. In the How will this person sign in dialog box, select I don’t have this person’s sign-in information.

4. In the Create account dialog box, select Add a user without a Microsoft account.

5. On the Create an account for this PC page, type the username, enter a new password twice, provide answers to the three security questions, and then select Next to create the local account. The account is listed under Other users.

$Password = Read-Host -AsSecureString
<<Enter Password>>
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "User 3"

Built-in local groups

You can add your own groups, change group membership, rename groups, and delete groups. It is best practice to use the built-in groups wherever possible because they already have the appropriate permissions and are familiar to other administrators. Some built-in local groups are special groups that the Windows 10 system requires (and cannot be managed).

Some of the local groups created on Windows 10 devices, together with their uses, are shown in Table 2-1.

As Table 2-1 shows, Administrators group members have full permissions and privileges on a Windows 10 device. A member of the Administrators local group can perform the following tasks:

• Access any data on the computer

• Assign and manage user rights

• Back up and restore all data

• Configure audit policies

• Configure password policies

• Configure services

• Create administrative accounts

• Create administrative shares

• Increase and manage disk quotas

• Install and configure hardware device drivers

• Install applications that modify the Windows system files

• Install the operating system

• Install Windows updates, service packs, and hot fixes

• Manage disk properties, including formatting hard drives

• Manage security logs

• Modify groups and accounts that have been created by other users

• Modify systemwide environment variables

• Perform a system restore

• Reenable locked-out and disabled user accounts

• Remotely access the registry

• Remotely shut down the system

• Stop or start any service

• Upgrade the operating system

Create and delete groups

Only members of the Administrators group can manage users and groups. When creating a new group, keep in mind that the group name has to be unique on the local computer and cannot be the same as a local username that exists on the computer.

You should make the group name descriptive, and wherever possible, you include a description of the new group’s function. Group names can have up to 256 characters in length and include alphanumeric characters such as spaces, but the backslash () is not allowed.

To create a new group, follow these steps:

1. Right-click Start and select Computer Management.

2. Open the Local Users and Groups console.

3. Right-click the Groups folder and select New Group from the context menu.

4. In the New Group dialog box, enter the group name. (Optionally, you can enter a description for this group.)

5. To add group members, select the Add button.

6. In the Select Users dialog box, type the username, then select OK. In the New Group dialog box, you will see that the user has been added to the group.

7. To create the new group, select the Create button.

To delete a group from the Local Users And Groups console in Computer Management, right-click the group name and choose Delete from the context menu. You will see a warning that deleting a group cannot be undone, and you should select the Yes button to confirm the deletion of the group.

When a group is deleted, all permissions assignments that have been specified for the group will be lost.

Special identity groups

Several special identity groups (sometimes known as special groups) are used by the system or by administrators to allocate access to resources. Membership in special groups is automatic, based on criteria, and you cannot manage special groups through the Local Users And Groups console. Table 2-2 describes the special identity groups that are built into Windows 10.

Use Active Directory users

Within Active Directory (AD), there are two primary objects that you need to know: user accounts and computer accounts. These are two forms of common security principals held in AD, and they allow you to manage the account and control access to resources by the entity (a person or a computer). Within a domain you will create domain user accounts for the person in most scenarios. A domain user will use their domain username and password to sign in to any device on the domain-based network (with the correct permissions). This approach allows administrators to centrally manage user accounts across an organization rather than on each individual device, as with a workgroup environment.

Use Active Directory groups

Active Directory groups allow you to collect user accounts, computer accounts, and other groups into units that can be managed. By controlling groups of objects, administrators can manage permissions to resources at scale. It is best practice for users and other objects to be added to a group and then permissions set at the group level, rather than at the user or computer object level. This way, if a specific user or computer account joins or leaves the organization, the group membership can be dynamically updated by Active Directory. A huge amount of time and effort is therefore saved every time a personnel change occurs.

Two types of groups are available in Active Directory:

• Distribution groups Used to create email distribution lists used by email applications, such as Exchange Server, to send emails to the group membership. It is not possible to configure security permissions on distribution groups.

• Security groups Used to assign rights and permissions to objects within the group.

User rights are assigned to a security group to determine what members of that group can do using their user account. For example, you may want to add a user to the Backup Operators group in Active Directory. The user will then be granted the ability to back up and restore files and directories that are located on each file server or domain controller in the domain.

Permissions are assigned to the shared resource. Best practice is to assign the permissions to a security group and allow AD to determine who can access the resource and the level of access whenever the resource is accessed. The level of access can be fine-tuned using access control entries (ACEs), such as Full Control or Read, which are stored in the discretionary access control list (DACL) for each resource. The DACL defines the permissions on resources and objects such as file shares or printers.

Active Directory default security groups

You can use several built-in groups with Active Directory. Some commonly used security groups are shown in Table 2-3.

Understand Active Directory

A detailed knowledge of Windows Server and AD DS is outside the scope of the MD-100 exam, but you should know the difference between an on-premises environment and a cloud-based one. Active Directory Domain Services (AD DS), commonly referred to as Active Directory (AD), is a role of associated services that are installed on physical or virtual Windows servers. Simply hosting a Windows Server running the AD DS role on an Azure-based virtual machine is an example of a “lift and shift” deployment to the cloud running AD DS and does not provide an Azure Active Directory (Azure AD) environment.

Windows Server installed with the AD DS role is a complex environment that has benefited organizations for over 20 years and, as such, has many legacy components necessary to support AD feature backward compatibility. In addition to the directory service, technologies are often provisioned when you add the AD DS role to a Windows server, including:

• Active Directory Certificate Services (AD CS)

• Active Directory Lightweight Directory Services (AD LDS)

• Active Directory Federation Services (AD FS)

• Active Directory Rights Management Services (AD RMS)

Active Directory Domain Services has the following characteristics (which are not shared by Azure AD):

• AD DS is a true directory service, with a hierarchical X.500-based structure.

• AD DS uses Domain Name System (DNS) for locating resources.

• You can query and manage AD DS using Lightweight Directory Access Protocol (LDAP).

• The Kerberos protocol is primarily used for AD DS authentication.

• Computer objects represent computers that join an Active Directory domain.

• You can manage objects stored in the directory using organizational units (OUs) and Group Policy Objects (GPOs).

• You can establish trusts between domains for delegated management.

Understand device management

Once devices are managed by Azure Active Directory (Azure AD), you can ensure that your users are accessing your corporate resources from devices that meet your standards for security and compliance. To protect devices and resources using Azure AD, users must be allowed to have their Windows 10 devices managed by Azure AD.

Azure AD is a cloud-based identity authentication and authorization service that enables your users to enjoy the benefits of single sign-on (SSO) for cloud-based applications, such as Office 365. Users can easily join their devices to your organization’s Azure AD once you have enabled device joining in the Azure Active Directory Admin Center.

When you are joining devices to an on-premises domain environment, the types of devices that you can join to the domain are quite restrictive; devices, for example, must be running a supported operating system. This means that any users who have devices running Windows 10 Home editions cannot join the company’s on-premises domain. However, Azure AD is less restrictive in this respect; you can add to Azure AD almost any tablet, laptop, smartphone, and desktop computer running a variety of platforms. When you enable users to add their devices to Azure AD, you will manage their enrolled devices by using a mobile device management solution, such as Microsoft Intune, which allows you to manage and provision your users’ devices.

Devices can be managed by Azure AD using two methods:

• Joining a device to Azure AD

• Registering a device to Azure AD

Configure device management

Device management requires configuration to ensure that when your users attempt Device Registration, the process will not fail. By default, the setting is enabled, and it allows all Windows 10 devices that present valid credentials to be managed by your Azure AD.

The Azure portal provides a cloud-based location to manage your devices. To allow registration of devices into Azure AD, follow these steps:

1. Sign in as an administrator to the Azure portal at https://portal.azure.com.

2. On the left navigation bar, select Azure Active Directory.

3. In the Manage section, select Devices.

4. Select Device settings.

5. On the Device settings blade, ensure that Users may join devices to Azure AD is set to All, as shown in Figure 2-6. If you choose Selected, then select the Selected link and choose the users who can join Azure AD. You can select both individual users and groups of users.

   

6. Select Save.

Within the Azure AD portal, you can fine-tune the process of registering and joining devices by configuring the device settings as listed in Table 2-4.

Connect devices to Azure AD

Once the prerequisites have been configured to allow the Device Registration service to take place, you are able to connect devices to Azure AD.

There are three ways to connect a Windows 10 device to Azure AD:

• Joining a new Windows 10 device to Azure AD

• Joining an existing Windows 10 device to Azure AD

• Registering a Windows 10 device to Azure AD

In this section, you will learn the steps required for each method of connecting Windows 10 to Azure AD.

Join An Existing Windows 10 Device To Azure Ad

In this method, we will take an existing Windows 10 device and join it to Azure AD. You can join a Windows 10 device to Azure AD at any time. Use the following procedure to join the device:

1. Open the Settings app and then select Accounts.

2. In Accounts, select the Access work or school tab.

3. Select Connect.

4. On the Set up a work or school account page, under Alternate actions, select Join this device to Azure Active Directory, as shown in Figure 2-7.

   

5. On the Microsoft account page, enter your email address and select Next.

6. On the Enter password page, enter your password and select Sign In.

7. On the Make sure this is your organization page, confirm that the details on screen are correct and select Join.

8. On the You’re all set! page, select Done.

9. To verify that your device is connected to your organization or school, check that your Azure AD email address is listed under the Connect button, indicating that it is connected to Azure AD.

If you have access to the Azure Active Directory portal, then you can validate that the device is joined to Azure AD by following these steps:

1. Sign in as an administrator to the Azure portal at https://portal.azure.com.

2. On the left navigation bar, select Azure Active Directory.

3. In the Manage section, select Devices > All devices.

4. Verify that the device is listed, as shown in Figure 2-8.

Enroll devices into Microsoft 365

Microsoft 365 is a bundled subscription that includes Office 365, Windows 10, and Enterprise Mobility + Security. Microsoft 365 comes in three primary bundles:

• Microsoft 365 Business Premium For small and medium-sized organizations up to 300 users

• Microsoft 365 Enterprise For organizations of any size

• Microsoft 365 Education For educational establishments

With Microsoft 365, you use Azure Active Directory for your identity and authentication requirements, and you can (and should) enroll Windows 10 into device management so that your users can gain access to corporate resources. Once devices are joined to your Microsoft 365 tenant, Windows 10 becomes fully integrated with the cloud-based services offered by Office 365 and Enterprise Mobility + Security. Microsoft 365 supports other platforms, including Android and iOS, which can also be managed as mobile devices. However, only Windows 10 devices can be joined to Azure AD.

Enroll Devices Into Microsoft 365 Business

When you enroll Windows devices into Microsoft 365 Business, they must be running Windows 10 Pro, version 1703 (Creators Update) or later. If you have any Windows devices running Windows 7 Professional, Windows 8 Pro, or Windows 8.1 Pro, the Microsoft 365 Business subscription entitles you to upgrade them to Windows 10 Pro.

Microsoft 365 Business includes a set of device-management capabilities powered by Microsoft Endpoint Manager. Microsoft 365 Business offers organizations a simplified management console that provides access to a limited number of device management tasks, including the following:

• Deploy Windows with Autopilot

• Remove company data

• Factory reset

• Manage office deployment

To enroll a brand-new device running Windows 10 Pro into Microsoft 365 Business, known as a “user-driven enrollment,” follow these steps:

1. Go through Windows 10 device setup until you get to the How would you like to set up? page, as shown in Figure 2-9.

   

2. Choose Set up for an organization and then enter your username and password for your Microsoft 365 Business Premium subscription (the new user account, not the tenant admin account).

3. Complete the remainder of the Windows 10 device setup.

4. The device will be registered and joined to your organization’s Azure AD, and you will be presented with the desktop. You can verify the device is connected to Azure AD by opening the Settings app and clicking Accounts.

5. On the Your Info page, select Access Work or School.

6. You should see that the device is connected to your organization. Select your organization name to show the Info and Disconnect buttons.

7. Select Info to see that your device is managed by your organization and to view your device sync status.

8. To verify that the device has been granted a Windows 10 Business license, select the Home icon, select System, and then select About.

9. In the Windows specifications section, the Windows Edition shows Windows 10 Business, as shown in Figure 2-10.

Although there is no link to Microsoft Intune within the Microsoft 365 Business Admin Center, the subscription includes the use of the full MDM capabilities for iOS, Android, macOS, and other cross-platform device management. To access the Microsoft Endpoint Manager admin center, launch a browser and sign in with your Microsoft 365 Business Premium credentials at https://endpoint.microsoft.com.

To access Intune App Protection in the Azure portal and view the app protection settings for managed Windows 10, Android, and iOS devices, follow these steps:

1. Sign in to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com with your Microsoft 365 Business admin credentials.

2. In the left navigation bar, select Apps.

3. In the Apps blade, select App protection policies.

4. You can now select Create policy from the menu and configure App Protection Policies.

Enroll Devices Into Microsoft 365 Enterprise

Microsoft 365 Enterprise plans can be chosen by larger organizations with more than 300 users or businesses of any size that require access to the increased levels of compliance and security management over Microsoft 365 Business Premium.

The Microsoft 365 Enterprise solution includes additional functionality, such as business intelligence, analytics tools, and access to the Microsoft Endpoint Manager from the Microsoft 365 Admin Center for device and app management.

When enrolling devices into Microsoft 365 Enterprise, those devices must be running Windows 10 Enterprise, version 1703 (Creators Update) or later. Devices running an earlier version of Windows can be upgraded to Windows 10 Enterprise as part of the Microsoft 365 Enterprise licensing.

Users can perform an Azure AD join using the user-driven enrollment method shown in the previous section to enroll their devices into management. Enrollment can happen during Out-of-Box Experience (OOBE) or after a Windows profile has already been set up. To enroll a device once a user has already set up a Windows user profile, follow the steps outlined in the “Join a new Windows 10 device to Azure AD” section of this skill.

If you want to enroll a large number of devices in an enterprise scenario, you can use the Device Enrollment Manager (DEM) account in Microsoft Intune. The DEM is a special account in Microsoft Endpoint Manager that allows you to enroll up to a maximum of 1,000 devices. (By default, standard users can manage and enroll up to five devices.) For security reasons, the DEM user should not also be an Intune administrator. Each enrolled device will require a single Intune license, but the DEM user does not require an Intune license. You can have a maximum of 150 DEM accounts in Microsoft Intune.

By default, there is no device enrollment account user present in Microsoft Intune. You can create a device enrollment account by performing the following steps:

1. Sign in to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com with your Microsoft 365 Enterprise admin credentials.

2. In the left navigation bar, select Devices, and then under Device enrollment, choose Enroll devices.

3. In the left navigation bar, select Device enrollment managers.

4. Select Add.

5. On the Add user blade, enter the username for the DEM user and select Add. The user is promoted to the DEM role.

6. Close the Add user blade.

7. The Device enrollment managers list now contains the new user, as shown in Figure 2-11.

Need More Review? Enroll Devices Using Device Enrollment Manager

For more information on the DEM in Microsoft Intune, including example scenarios and limitations of devices that are enrolled with a DEM account, visit https://docs.microsoft.com/intune/device-enrollment-manager-enroll.

View and manage devices in Microsoft 365

Microsoft 365 Business Premium subscription administrators can manage their enrolled devices directly from the Microsoft 365 Admin Center screen using the Enroll Devices tile, as shown in Figure 2-12. On the Microsoft 365 Admin Center portal screen, both the Device Enrollment link on the Enroll Devices tile and the Endpoint Manager option (under Admin Centers) will open the stand-alone Microsoft Endpoint Manager admin center This portal can also be accessed at https://endpoint.microsoft.com/#home.

You can perform the following device-related actions on devices from within the Devices section on the navigation bar:

• Active Devices Includes viewing device details and managing device actions such as Factory Reset, Remove Company Data, and Remove Device.

• AutoPilot Includes adding new devices to be deployed with the Windows AutoPilot service and managing Windows AutoPilot profiles that can be applied to devices.

• Policies Includes managing existing policies and assigning policies to groups; adding new application policies to Android, iOS, and Windows 10 devices; and adding new device configuration policies to Windows 10 devices.

Organizations with a Microsoft 365 Enterprise subscription cannot view or manage devices from the Microsoft 365 Enterprise Admin Center and will need to use the following locations:

• Azure Active Directory https://aad.portal.azure.com

• Microsoft Endpoint Manager admin center https://endpoint.microsoft.com

From these views, you can manage and interact with the devices enrolled in your Azure AD tenant, including retiring or wiping a device. Also, you can perform remote tasks, such as retiring, wiping, or restarting the device, as shown in Figure 2-13.

Configure Microsoft accounts

A Microsoft account (previously called Windows Live ID) provides you with an identity that you can use to securely sign in on multiple devices and access cloud services. You can also use the account to synchronize your personal settings between your Windows-based devices.

If Windows 10 detects an internet connection during setup, you are prompted to specify your Microsoft account details, though you can skip this step and create a local account instead. You can link your Microsoft account to a local or AD DS domain account after setup is complete.

Microsoft accounts are primarily for consumer use. Domain users can benefit by using their personal Microsoft accounts in your enterprise, though there are no methods provided by Microsoft to provision Microsoft accounts within an enterprise. After you connect your Microsoft account to Windows 10, you can:

• Access and share photos, documents, and other files from sites such as OneDrive, Outlook.com, Facebook, and Flickr.

• Integrate social media services; contact information and status for your users’ friends and associates are automatically obtained from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn.

• Download and install Microsoft Store apps.

• Perform app synchronization with Microsoft Store apps. After user sign-in, when an app is installed, any user-specific settings are automatically downloaded and applied.

• Sync your app settings between devices that are linked to your Microsoft account.

• Use single sign-on with credentials roaming across any devices running Windows 10, Windows 8.1, Windows 8, or Windows RT.

If Microsoft accounts are allowed in an enterprise environment, you should note that only the owner of the Microsoft account is able to change the password. A user can perform a password reset in the Microsoft account sign-in portal at https://account.microsoft.com.

Understand multifactor authentication

Traditional computer authentication is based on users providing a name and a password. This allows an authentication authority to validate the exchange and grant access. Although password-based authentication is acceptable in many circumstances, Windows 10 provides a number of additional, more secure methods for users to authenticate with their devices, including multifactor authentication (also referred to as two-factor authentication).

Multifactor authentication is based on the principle that users who wish to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, and they must be something. For example, a user might know a password, possess a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints.

Explore Biometrics

Biometrics, like a fingerprint, provides more secure and, often, more convenient methods for both users and administrators to be identified and verified. Windows 10 includes native support for biometrics through the Windows Biometric Framework (WBF), and when used as part of a multifactor authentication plan, biometrics is increasingly replacing passwords in modern workplaces.

Biometric information is obtained from the individual and stored as a biometric sample, which is then securely saved in a template and mapped to a specific user. To capture a person’s fingerprint, you can use a fingerprint reader (you “enroll” the user when configuring this). Also, you can use a person’s face, her retina, or even her voice. The Windows Biometric service can be extended to also include behavioral traits such as body gait and typing rhythm.

Windows includes several Group Policy settings related to biometrics, as shown in Figure 2-14, that you can use to allow or block the use of biometrics from your devices. You can find Group Policy Objects here: Computer ConfigurationAdministrative TemplatesWindows ComponentsBiometrics.

Configure Windows Hello and Windows Hello for Business

Windows Hello is a two-factor biometric authentication mechanism built into Windows 10, and it is unique to the device on which it is set up. Windows Hello allows users to unlock their devices by using facial recognition, fingerprint scanning, or a PIN.

Windows Hello for Business is the enterprise implementation of Windows Hello and allows users to authenticate to an Active Directory or Azure Active Directory account, and it enables them to access network resources. Administrators can configure Windows Hello for Business using Group Policy or mobile device management (MDM) policy and use asymmetric (public/private key) or certificate-based authentication.

Windows Hello provides the following benefits:

• Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites, which reduces security. Windows Hello allows them to authenticate using their biometric data.

• Passwords are vulnerable to replay attacks, and server breaches can expose password-based credentials.

• Passwords offer less security because users can inadvertently expose their passwords as a result of phishing attacks.

• Windows Hello helps protect against credential theft. Because a malicious person must have both the device and the biometric information or PIN, it becomes more difficult to hack the authentication process.

• Windows Hello can be used both in cloud-only and hybrid deployment scenarios.

• Windows Hello logs you into your devices three times faster than a password.

If you want to implement Windows Hello, your devices must be equipped with the appropriate hardware. For example, facial recognition requires that you use special cameras that see in infrared (IR) light. These can be external cameras or cameras incorporated into the device. The cameras can reliably tell the difference between a photograph or scan and a living person. For fingerprint recognition, your devices must be equipped with fingerprint readers, which can be external or integrated into laptops or USB keyboards.

If you have previously experienced poor reliability from legacy fingerprint readers, you should review the current generation of sensors, which offer significantly better reliability and are less error-prone.

After you have installed the necessary hardware devices, you can set up Windows Hello by openings Settings, selecting Accounts, and then, on the Sign-In Options page, under Windows Hello, reviewing the options for face or fingerprint. If you do not have Windows Hello–supported hardware, the Windows Hello section does not appear on the Sign-In Options page.

To configure Windows Hello, follow these steps:

1. Open the Settings app and select Accounts.

2. On the Accounts page, select Sign-in options.

3. Under Windows Hello Face, select Set up.

4. Select Get started on the Windows Hello setup page.

5. Enter your PIN or password to verify your identity.

6. Allow Windows Hello to capture your facial features, as shown in Figure 2-15.

   

7. Once Windows Hello has captured your facial features, you are presented with an All Set! message and you can close the Windows Hello setup page.

Users can use Windows Hello for a convenient and secure sign-in method that is tied to the device on which it is set up.

Enterprises that want to enable Windows Hello can configure and manage Windows Hello for Business. Windows Hello for Business uses key-based or certificate-based authentication for users by using Group Policy or MDM policy, or a mixture of both methods.

Configure PIN

To avoid authentication with passwords, Microsoft provides an authentication method that uses a PIN. When you set up Windows Hello, you’re asked to create a PIN first. This PIN enables you to sign in using the PIN as an alternative to when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. The PIN provides the same level of protection as Windows Hello.

Windows Hello PIN provides secure authentication without sending a password to an authenticating authority, such as Azure AD or an AD DS domain controller. Windows Hello for Business provides enterprises with compliance with the new FIDO 2.0 (Fast IDentity Online) framework for end-to-end multifactor authentication.

Within a domain environment, a user cannot use a PIN on its own (known as a convenience PIN). You will see from the user interface shown in Figure 2-16 that the PIN settings are known as the Windows Hello PIN. A user must first configure Windows Hello and already be signed in using a local account, a domain account, a Microsoft account, or an Azure AD account. The user is then able to set up PIN authentication that is associated with the credential for the account.

After a user has completed the registration process, Windows Hello for Business generates a new public-private key pair on the device known as a protector key. If installed on the device, the Trusted Platform Module (TPM) generates and stores this protector key; if the device does not have a TPM, Windows encrypts the protector key and stores it on the file system. Windows Hello for Business also generates an administrative key that is used to reset credentials if necessary.

The user now has a PIN defined on the device and an associated protector key for that PIN gesture. The user can now securely sign in to their device using the PIN and then add support for a biometric gesture as an alternative for the PIN. The gesture can be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned in the previous section. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and stores it securely. The user can then sign in using the PIN or a biometric gesture.

You can use MDM policies or GPOs to configure settings for Windows Hello for Business in your organization. For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy.

To configure Windows Hello for Business in your organization, you use the appropriate GPOs within the following location:

Computer ConfigurationPoliciesAdministrative TemplatesWindows Components Windows Hello for Business

To configure PIN complexity with Windows 10 (with and without Windows Hello for Business), you can use the eight PIN Complexity Group Policy settings, which allow you to control PIN creation and management.

These policy settings can be deployed to computers or users. If you deploy settings to both, then the user policy settings have precedence over computer policy settings and GPO conflict resolution is based on the last applied policy. The policy settings included are:

• Require digits

• Require lowercase letters

• Maximum PIN length

• Minimum PIN length

• Expiration

• History

• Require special characters

• Require uppercase letters

In Windows 10, version 1703 and later, the PIN complexity Group Policy settings are located at Administrative TemplatesSystemPIN Complexity under both the Computer and User Configuration nodes.

If an organization is not using Windows Hello for Business, they can still use the option to set a convenience PIN. A convenience PIN is very different from a Windows Hello for Business PIN because it is merely a wrapper for the user’s domain password. This means that the user’s password is cached and replaced by Windows when signing in with a convenience PIN.

Since the Anniversary release (Windows 10, version 1607), the option to allow a convenience PIN is disabled by default for domain-joined clients. To modify the option to sign in with the convenience PIN, you can use the Turn On Convenience PIN Sign-In GPO at Group PolicyComputer ConfigurationAdministrative TemplatesSystemLogon.

Configure picture password

A picture password is another way to sign in to a computer. This feature does not use Windows Hello or Windows Hello for Business, and therefore, it is not available to be used within a domain-based environment.

You sign in to a touch-enabled device by using a series of three movements consisting of lines, circles, and/or taps. You can pick any picture you want and provide a convenient method of signing in to touch-enabled, stand-alone devices. Picture password combinations are limitless because the pictures that can be used are limitless. Although picture passwords are considered more secure for stand-alone computers than typing a four-digit PIN, a hacker may be able to guess their way into a device by holding the screen up to a light to see where most of the gestures are (by following the smudges on the screen). This is especially true if the user touches the screen only to input the password and rarely uses touch for anything else.

To create a picture password, follow these steps:

1. Open the Settings app and select Accounts.

2. Select Sign-in options.

3. Under Picture password, select Add.

4. Enter your current account password and select Choose picture to browse to and select the picture to use.

5. Adjust the position of the picture and select Use this picture.

6. Draw three gestures directly on your screen. Remember that the size, position, and direction of the gestures are stored as part of the picture password.

7. You are prompted to repeat your gestures. If your repeated gestures match, select Finish.

There is only one GPO relating to this feature. To disable Picture Password using Local Group Policy, you can use the Turn Off Picture Password Sign-In GPO in the following location:

Computer ConfigurationAdministrative TemplatesSystemLogon

Configure Dynamic Lock

Users with smartphones can take advantage of Dynamic Lock, which was introduced with the Creators Update for Windows 10. Dynamic Lock allows users to automatically lock their devices whenever they are not using them. (As of this writing, the iPhone does not support this feature.)

The Dynamic Lock feature relies on a Bluetooth link between your PC and the paired smartphone.

To configure Windows 10 Dynamic Lock, use the following steps:

1. Open the Settings app and select Accounts.

2. Select Sign-in options and scroll to Dynamic lock.

3. Select Allow Windows to detect when you’re away and automatically lock the device.

4. Select Bluetooth & other devices.

5. Add your smartphone using Bluetooth and pair it.

6. Return to the Dynamic lock page and you should see your connected phone, as shown in Figure 2-17. Your device will be automatically locked whenever Windows detects that your connected smartphone has moved away from your desk for 30 seconds.

You can configure Dynamic Lock functionality for your devices using the Configure Dynamic Lock Factors GPO. You can locate the policy setting at Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Hello for Business.

Understand the registry structure

The registry is a database that is split into multiple separate files known as hives, together with associated log and other support files.

You can find the registry files located in %systemroot%System32Config, though you will need to be an administrator to access this folder. Within this system folder, you should find several binary format “files” that the registry uses:

• SAM (Security Accounts Manager used to store local passwords)

• SECURITY

• SOFTWARE

• SYSTEM

• DEFAULT

• USERDIFF (used only for Windows upgrades)

In addition to the system files, the user-specific settings stored within the user profile are loaded into system memory when a user signs in. These registry files are located in the following locations:

• %userprofile% tuser.dat

• %userprofile%AppDataLocalMicrosoftWindowsUsrClass.dat

Other notable registry files include the Boot Configuration Data (BCD) store, which stores its own file on the boot drive. The local services are located in %SystemRoot% ServiceProfilesLocalService and network services are stored in %SystemRoot% ServiceProfilesNetworkService.

The vast majority of changes to the hive files are made automatically by Windows whenever you install an application or change a setting or configuration by using the Settings app or Control Panel,

The main hives, or subtrees, that store settings for Windows 10 are shown in Table 2-5.

Should you need to make a manual change, create a new entry, or modify an existing registry entry, these will typically take place in the following two hives:

• HKEY_LOCAL_MACHINE

• HKEY_CURRENT_USER

The primary tool for managing and editing the registry is the built-in registry editor.

Within the hives, settings containing values are stored in subtrees, keys, and subkeys. The hierarchical nature of the registry makes it easy to locate a registry value. Here is an example of a key, subkeys, and value:

Click here to view code image

ComputerHKEY_CURRENT_USERControl PanelMouse

This key holds many subkeys, which Windows uses to store settings for the mouse.

The mouse settings can be modified in the registry, as shown in Figure 2-18, or by using the Mouse item within Control Panel. If you enable mouse pointer trails in Control Panel, the registry subkey for MouseTrails is modified to have a value of 7.

Values are stored within each key and subkey that are used to configure the operating system. Several value types are used to store information such as numerical data, text, and variables such as file paths. Often a value is empty or not defined, as shown in the (Default) subkey in Figure 2-18, which shows (value not set). Table 2-6 lists common types of registry values.

Understand the Registry Editor

The built-in Registry Editor (Regedit.exe) allows you to view, search, and modify the registry’s contents. Some common tasks that administrators can perform using the Registry Editor tool are as follows:

• Search the registry for a value, value name, subkey, or key

• Create, delete, and modify keys, subkeys, and values

• Import entries into the registry from an external (REG) file

• Export entries from the registry into an external (REG) file

• Back up the entire registry

• Manage the HKEY_LOCAL_MACHINE and HKEY_USERS registry hives on a remote computer

You can also import registry keys and values directly into the registry using a text file with the .reg extension.

All REG files will use the following syntax for Registry Editor to understand them:

Click here to view code image

Windows Registry Editor Version 5.00
[<Hive name><Key name><Subkey name>]
"Value name"=<Value type>:<Value data>

Because REG files are associated with the registry, executing a REG file will merge it with—or import it to—the local Windows Registry. The contents of the REG file will add, delete, or modify one or more keys or values in the registry. Depending on the changes contained within the REG file, you might need to restart your computer after the changes have been made.

You can also use the Import option on the File menu within the Registry Editor to import the settings, or you can use the command line with a script similar to the following example:

Click here to view code image

regedit /s C:\Registry\regsetting.reg > nul

Use PowerShell to manage registry settings

The registry can be accessed directly using Windows PowerShell. The registry provider within PowerShell displays the registry like a file system, displaying the keys and subkeys as subfolders within a registry hive.

Windows PowerShell uses the abbreviated form of the hive nomenclature where the HKEY_LOCAL_MACHINE hive becomes HKLM and HKEY_LOCAL_USER becomes HKLU.

To view the registry using Windows PowerShell, open an elevated Windows PowerShell command prompt and then type the following, pressing Enter after each line:

Click here to view code image

Get-ChildItem -Path hklm: 
Dir

You can also obtain a richer output by using this PowerShell command:

Click here to view code image

Get-Childitem -ErrorAction SilentlyContinue | Format-Table Name, SubKeyCount, ValueCount
-AutoSize

To create a new registry key, you can first use the Set-Location cmdlet to change to the appropriate registry subtree and key as shown here:

Click here to view code image

Set-Location "HKCU:Software"

Alternatively, you can use the full path to the registry key in the cmdlet as follows:

Click here to view code image

New-Item -Path HKCU:Software -Name "Demonstration" –Force

Use the following cmdlet to assign the new registry key a value of “demo”:

Click here to view code image

Set-Item -Path HKCU:SoftwareDemonstration -Value "demo"

To validate that the key value has been stored correctly, view the key in the registry, or enter the following:

Click here to view code image

Get-Item -Path HKCU:SoftwareDemonstration

Configure a password policy

On a local device, if you want to ensure that all users use secure passwords and that the passwords are changed after a set number of days, you can configure a password policy as follows:

1. Log on to Windows 10 with administrative privileges.

2. Select Start and search for Secpol.msc.

3. Select the Secpol.msc link to open the Local Security Policy editor.

4. Expand Account Policies and select Password Policy.

5. Select Enforce password history. You can now enter a value that represents the number of unique new passwords that a user account must have used before an old password can be reused.

6. Enter 5 and select OK to set this policy.

7. Double-click Maximum password age. The default setting is 42, which allows a user to use their password over a 42-day period before they are forced to change it. The best practice is to have passwords expire every 30 to 90 days.

8. Enter 90 and select OK.

9. Double-click Minimum password age. The default setting is 0 days, which allows users to change their passwords whenever they like. A setting of 14 days prevents users from changing their password in rapid succession to bypass the password history setting.

10. Enter 14 and select OK.

11. Double-click Minimum password length. The default is set to 0 characters. A setting of 8 would require that a password must be at least 8 characters long.

12. Enter 8 and select OK.

13. Double-click Password must meet complexity requirements. This setting is disabled by default. Once set to enabled, all passwords need to be complex.

14. Double-click Store passwords using reversible encryption. The default is disabled. If you enable this policy, all passwords are stored in a way that all applications are able access the password, which also makes them vulnerable to hackers to access.

15. Close the Local Security Policy editor.

The changes relating to local passwords become effective immediately once the policy is configured. Users with existing passwords can continue to use them until they need to be changed. The next time a user changes their password, the new password will need to conform with the settings in the Password Policy.

Configure an account lockout policy

When you implement a strong password policy, it is recommended that you also configure an account lockout policy, which helps to protect accounts from password-cracking tools, which can attempt thousands of different passwords every hour in the hope that they succeed. Within a local environment, even an employee can try to guess a password to gain access to a system.

This brute-force attack on a system cannot be prevented. However, you can implement measures within the account lockout policy that monitor incorrect attempts to log in to a local device. If a brute-force attack is suspected (for example, five incorrect passwords are entered in quick succession), then the account can be locked for a period of time.

To define that lockout policy, use the following steps:

1. Log on to Windows 10 with administrative privileges.

2. Select Start and search for Secpol.msc.

3. Select the Secpol.msc link to open the Local Security Policy editor.

4. Expand Account Policies and select Account Lockout Policy.

5. Double-click Account lockout threshold, enter 3, and select OK.

6. When the Account lockout threshold has been set, Windows suggests two other settings:

   • Account lockout duration This setting specifies how long, in minutes, the user account will remain locked once the threshold has been reached.

   • Reset account lockout counter after This setting specifies how long, in minutes, before the count of incorrect passwords entered is set back to 0.

7. Leave these settings as recommended and select OK.

Configure local policy

Local policies are used to control users once they have logged on and gained access to a system. You can configure policies that implement auditing, specify user rights, and set security options.

Audit policy

Audit policies are used to track specified user actions on a device. These actions are recorded as a success or a failure, such as accessing a file or being blocked from printing a document. Auditing is costly because system resources are required to constantly monitor a system and record actions to the audit logs. Audit settings can generate many log items, and this may impede a computer’s performance. Therefore, you should use auditing on selective actions and turn off the feature when it is no longer required.

Auditing allows you to create a history of specific tasks and actions, such as file access (Audit Object Access policy), user account deletion (Audit Account Management) or successful logon attempts (Audit Account Logon Events). Often, auditing is used to identify security violations that arise; security violations could include, for example, when users attempt to access system management tasks or files within File Explorer for which they do not have permission. In this example, failed attempts to access resources will be logged in the audit log, with details of the user account, time, and details of the resources for which access was denied because of insufficient privileges.

Configuring audit policy involves three components:

• Enable auditing within Local Policies for success or failure (or both) for specific events or actions.

• For object access, such as file system files and folders, enable auditing on the objects to be audited.

• Use Event Viewer to view the results of the audit in the security log.

To view the various settings that can be configured using audit policy, view the audit policy options in Table 2-7.

To configure an audit policy to monitor account logon events, use these steps:

1. Log on to Windows 10 with administrative privileges.

2. Select Start and search for Secpol.msc.

3. Select the Secpol.msc link to open the Local Security Policy editor.

4. Expand Local Policies and select Audit Policy.

5. Double-click the Audit account logon events policy and select Success and Failure.

6. Select OK.

7. Log off the device and attempt to log back on as an administrator, but use an incorrect password. Allow the logon to fail.

8. Log on as an administrator using the correct password.

9. Select Start and search for Event Viewer.

10. Select the Event Viewer app to open the Event Viewer.

11. Expand Windows Logs and select the Security Log. You should see the audited events listed with an Event ID of 4624 and a Task Category of Logon, as shown in Figure 2-20.

User rights assignment

The user rights policies are used to determine what rights a user or group of users have on a device. Often, there is confusion between rights and permissions, and you should be clear that user rights, or privileges, apply to the system and relate to activities or tasks that the user can perform.

Here are some of the activities that you can grant to a user:

• Add Workstations To Domain

• Allow Log On Locally

• Allow Log On Through Remote Desktop Services

• Back Up Files And Directories

• Change The System Time

• Deny Log On Locally

• Shut Down The System

• Take Ownership Of Files Or Other Objects

To configure a user to have the right to perform a backup of a device, use the following steps:

1. Log on to Windows 10 with administrative privileges.

2. Select Start and search for Secpol.msc.

3. Select the Secpol.msc link to open the Local Security Policy editor.

4. Expand Local Policies and select User Rights Assignment.

5. Double-click the user right Back up files and directories.

6. Select Add User or Group. The Select Users or Groups dialog box appears.

7. Enter the name of the user or group to which you want to grant the right or select the Advanced button and then select Find Now. Select the user or group of users within the list.

8. Select OK.

9. Select OK in the Select Users or Groups dialog box.

10. In the Back Up Files and Directories properties dialog box, select OK.

Remember, a right authorizes a user to perform specific actions on a device, such as logging on to a computer interactively or backing up files and directories on a system. Before leaving this section, you should review the list of user rights policies, which can be found within the User Rights Assignment node of the Local Policies.

Security Options

The Security Options section of the local policies includes many options, which are used to allow or restrict activities on the device.

Here are some of the activities that you can configure with Security Options:

• Accounts Block Microsoft Accounts

• Interactive Logon Do Not Require CTRL+ALT+DEL

• Interactive Logon Don’t Display Username At Sign-In

• User Account Control Admin Approval Mode For Built-In Administrator Account

Nearly all the several dozen settings have their default settings set to Not Defined. Once configured, a setting can have the following statuses:

• Enabled or Disabled

• Text entry (For example, a user account name, or a system path)

• Value (For example, the number of previous logons to cache for when a domain controller is not available)

One area of the Security Options that you should pay attention to is the User Account Control (UAC) settings. We will cover UAC in detail in the next skill, but you should note that you can configure UAC using policy settings in this area of Local Policy.

Group Policy settings

When you configure a Group Policy setting, you are configuring a specific change to apply to an object (something configurable such as a device, a user, or a printer) that is held within AD DS. Group Policy has thousands of configurable settings. Nearly every aspect of Windows 10 can be modified by Group Policy, such as the Edge browser, the firewall, users’ rights, and security settings. Group Policy also allows IT administrators to configure settings in older versions of Windows Server and Windows operating systems, and therefore the number of GPOs has grown with each new version of Windows. Only settings that are compatible with the device receiving the policy will be applied, and if a device is configured with an older Group Policy setting, then the Group Policy setting will be ignored.

Most Group Policy settings have three states that can be configured:

• Not Configured The GPO does not modify the existing configuration of the setting for the user or computer.

• Enabled The GPO applies the policy setting.

• Disabled The GPO reverses the policy setting.

By default, most Group Policy settings are set to Not Configured.

Group Policy Management Editor

The Group Policy Management Editor is the tool that enables you to view and configure the individual Group Policy settings on a Windows 10 device. GPOs are organized in a hierarchy as shown here:

Computer Configuration Settings These settings modify the HKEY_LOCAL_MACHINE hive of the registry.

User Configuration Settings These settings modify the HKEY_CURRENT_USER hive of the registry.

These top-level settings each have three areas of configuration, as described in Table 2-8.

IT administrators use the Group Policy Management Console to the configure GPOs that are then managed by AD DS. An IT administrator or local administrator can manage individual devices using the Local Group Policy Editor. To open the Local Group Policy Editor, follow these steps:

1. Select Start and enter gpedit.msc.

2. Select Edit Group Policy to launch the Local Group Policy editor.

Even if a device is managed using GPOs within an AD DS environment, each device will also have the default local policy. This local GPO is the least influential of all GPOs and any settings can be overwritten by GPOs that are created at higher levels within the environment such as a site, domain, or organizational unit (OU). You should be careful when using GPOs because misconfiguring a GPO can lock you out of specific apps or even the device itself.

Troubleshooting tools

You can use many tools to investigate GPO-related issues, including the Resultant Set of Policy (RSoP.msc) tool within the GUI and Group Policy Result (GPResult) from the command line.

Gpresult

The GPResult command-line tool provides a powerful method of verifying what Group Policy Objects are applied to a user or computer. The tool creates a report that displays the GPOs that have been applied to a system and separates the results into the user and computer settings.

Follow these steps to display all GPOs that have been applied to a system:

1. Log on to Windows 10 with administrative privileges.

2. Right-click Start and select Windows PowerShell (Admin).

3. Confirm the User Account Control warning, if prompted.

4. Type gpresult /r and press Enter. You should see the RSoP data for your logged-in user and device.

The output of the gpresult /r command will display information such as the following:

• The applied GPO(s) name(s)

• Order of GPO application

• GPO details and the last time Group Policy was applied

• Domain and domain functional level

• Which domain controller issued the GPO

• Network speed link threshold

• Which security groups the user and computer are a member of

• Details of GPO filtering

You can fine-tune the report to select only the user or computer GPOs by limiting the command scope as follows:

• If you don’t want to see both user and computer GPOs, then you can use the scope option to specify a user or computer.

• To display GPOs applied to a specific user:

  gpresult /r /scope:user

• To display GPOs applied to a specific computer:

  gpresult /r /scope:computer

• To display GPOs applied on a remote computer, you can use this command:

  gpresult /s Laptop123 /r

• To generate an HTML report of the GPResult, as shown in Figure 2-21, you can use this command:

  gpresult /h c:GPOreport.html

Standard users

Except for administrators, all users are standard users with few privileges and limited ability to make changes to the system, such as installing software or modifying the date and time. Standard user accounts are described as “operating with least privilege.” Here is a list of system tasks that a standard user can perform:

• Change the desktop background and modify display settings

• View firewall settings

• Change the time zone

• Add a printer

• Change their own user account password

• Configure accessibility options

• Configure power options

• Connect to a wireless or LAN connection

• Install drivers, either from Windows Update or those that are supplied with Windows 10

• Install updates by using Windows Update

• Use Remote Desktop to connect to another computer

• Pair and configure a Bluetooth device with the device

• Perform other troubleshooting, network diagnostic, and repair tasks

• Play CD/DVD media

• Restore own files from File History

• View most settings, although elevated permissions will be required when attempting to change Windows settings

UAC prevents you from making unauthorized or hidden (possibly malware-initiated) changes to your system that require administrator-level permissions. A UAC elevation prompt is displayed to notify you, as follows:

• Prompt For Consent This is displayed to administrators in Admin Approval Mode whenever an administrative task is requested. Select Yes to continue if you consent.

• Prompt For Credentials This is displayed if you are a standard user attempting to perform an administrative task. An administrator needs to enter their password into the UAC prompt to continue.

When an administrator provides permissions to a standard user via a UAC prompt, the permissions are only temporarily operative, and the permissions are returned to a standard user level once the isolated task has finished.

Standard users can become frustrated when they are presented with the UAC prompt, and Microsoft has reduced the frequency and necessity for elevation. Following are some common scenarios wherein a standard user would be prompted by UAC to provide administrative privileges. You will see that they are not necessarily daily tasks for most users:

• Add or remove a user account

• Browse to another user’s directory

• Change user account types

• Change Windows Defender Firewall settings

• Configure Windows Update settings

• Install a driver for a device not included in Windows or Windows Update

• Install ActiveX controls

• Install or uninstall applications

• Modify UAC settings

• Move or copy files to the Program Files or Windows folders

• Restore system backup files

• Schedule automated tasks

Administrative users

Administrative users need to be limited to authorized personnel within the organization. In addition to the ability to perform all tasks that a standard user can perform, they have the following far-reaching permissions:

• Read/Write/Change permissions for all resources

• All Windows permissions

From this, it looks as if administrators have considerable power, which can potentially be hijacked by malware. Thankfully, by default, administrators are still challenged with the UAC prompt, which pops up when they perform a task that requires administrative permissions. However, they are not required to reenter their administrative credentials. This is known as Admin Approval Mode.

A user who signs on to a system with administrative permissions will be granted two tokens:

• The first token enables them to operate as a standard user.

• The second token can be used when the administrator performs a task that requires administrative permissions.

Just as with the standard user, after the task is completed using elevated status, the account reverts to a standard-user privilege.

Types of elevation prompts

UAC has four types of dialog boxes, as shown in Table 2-9. The Description column explains how users need to respond to the prompt.

Within large organizations, nearly all users will be configured to sign in to their computer with a standard user account. On a managed system that has been provisioned and deployed by the IT department, standard user accounts should have little need to contact the help desk regarding UAC issues. They can browse the internet, send email, and use applications without an administrator account. Home users and small businesses that lack a centralized IT resource to provision and manage their devices are often found to use administrative user accounts.

As with previous versions of Windows, an administrator can determine when the UAC feature will notify you if changes are attempted on your computer.

To configure UAC, use the following procedure.

1. Log on to Windows 10 with administrative privileges.

2. Select Start and enter UAC.

3. Select Change User Account Control Settings to be shown the User Account Control Settings screen where you can adjust the UAC settings, as shown in Figure 2-24.

You need to review the information in this dialog box by moving the slider to each position in order to determine how the UAC feature will behave with each setting. The default is Notify Me Only When Applications Try To Make Changes To My Computer.

Table 2-10 shows the four settings that enable customization of the elevation prompt experience.

The settings enable changes to the UAC prompting behavior only, and do not elevate the status of the underlying user account.

In addition to the UAC settings within the GUI, there are many more UAC security settings that can be configured via Group Policy. These can be found here: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

Secure Desktop

When UAC prompts the user for consent or elevated credentials, it first switches to a feature called Secure Desktop, which focuses only on the UAC prompt. In addition, Secure Desktop prevents other applications (including malware) from interacting with the user or influencing the user response to the UAC prompt.

While it is possible for malware to generate a screen that imitates the look of Secure Desktop (and even re-create the visual UAC prompt), it is not possible for malware to actually provide UAC with the correct credentials. If a system was infected with malware, it could try to bypass the UAC security setting—using a bogus credential prompt to harvest usernames and passwords from unsuspecting users—and then use these credentials on genuine UAC prompts. Therefore, it is important that administrators are vigilant against potential malware attacks, and all devices are set to ensure that their malware protection is configured to automatically update.

Configure Firewall & Network Protection

Within the Windows Security app is the Firewall & Network Protection page. This page provides a unified interface for accessing firewall and network protection features, and it consolidates several firewall-related components that are found within the Windows Defender Firewall in Control Panel.

To access the Firewall & Network Protection page as shown in Figure 2-25, open Windows Security, and on the Home tab, select Firewall & Network Protection.

On the Firewall & Network Protection page, you can view the current Windows Defender Firewall status and access links to enable you to configure firewall behavior. Much of the functionality is duplicated between the Firewall & Network Protection page and Windows Defender Firewall. You can choose to perform the configuration and monitoring task outlined in this chapter using either tool. Eventually, the Windows Defender Firewall located within Control Panel will be deprecated.

Manage and monitor Windows Defender Firewall

Windows Defender Firewall is a software-based firewall built into Windows 10 that creates a virtual barrier between a computer and the network to which it is connected. Windows Defender Firewall protects the computer from unwanted incoming traffic and protects the network from unwanted outgoing traffic.

To access the Windows Defender Firewall, select Start, enter Firewall, and then select Windows Defender Firewall.

A firewall allows specific types of data to enter and exit the computer while blocking other data; settings are configured by default (but they can be changed). This type of protection is called filtering. The filters are generally based on IP addresses, ports, and protocols. A description for each filter type includes the following:

• IP addresses are assigned to every computer and network resource connected directly to the network. The firewall can block or allow traffic based on an IP address of a resource (or a scope of addresses).

• Port numbers identify the application that is running on the computer. For example:

  • Port 21 is associated with the File Transfer Protocol (FTP).

  • Port 25 is associated with Simple Mail Transfer Protocol (SMTP).

  • Port 53 is associated with DNS.

  • Port 80 is associated with Hypertext Transfer Protocol (HTTP).

  • Port 443 is associated with HTTPS (HTTP Secure).

• Protocols are used to define the type of packet being sent or received. Common protocols are TCP, Telnet, FTP, HTTP, Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), HTTPS, and User Datagram Protocol (UDP). (You should be familiar with the most common protocols before taking the exam.)

Although many rules are already configured for the firewall, you can create your own inbound and outbound rules based on ports, protocols, programs, and more to configure the firewall to suit your exact needs.

You can monitor the state of the Windows Defender Firewall from either the Firewall & Network Protection area or the Windows Defender Firewall. It’s easy to tell from here if the firewall is on or off and whether it is the active network.

To make basic changes to the state of the firewall within the Firewall & Network Protection area, select the network and choose to turn the Windows Defender Firewall on or off. In the left pane of Windows Defender Firewall, select Turn Windows Defender Firewall On Or Off. From there, you can change settings for both private and public networks. There are two options for each:

• Turn on Windows Defender Firewall (selected by default)

• Block all incoming connections, including those in the list of allowed apps

• Notify me when Windows Defender Firewall blocks a new app (selected by default)

• Turn off Windows Defender Firewall (not recommended)

You can also use the links on the page to allow an app or feature through the firewall and the links to the advanced settings options.

Allow an app through the Windows Defender Firewall

Some data generated with and by specific apps is already allowed to pass through the Windows Defender Firewall. You can see the list of which apps are allowed by clicking Allow An App Or Feature Through Windows Defender Firewall in the left pane of the Windows Defender Firewall window in Control Panel. As you scroll through the list, you’ll see many apps (some you recognize and some you don’t), including Candy Crush Saga, Cortana, Groove Music, and of course, Microsoft Edge.

You can modify which firewall profile apps can use by selecting the Change Settings button and providing administrator approval to the UAC prompt. The list will be editable. You will notice from the list that not all apps listed are enabled by default, including Windows Media Player Netlogon Service, Windows Remote Management, and Remote Shutdown. The list of apps and settings may vary depending on your existing configurations.

If you don’t see the app you want to allow or block, select Allow Another App. You can then browse to the app executable and select the app from the list of applications in the Add An App dialog box, as shown Figure 2-26. You can configure the app to allow or stop it from communicating through the appropriate network profile by selecting the network type option in the dialog box. For existing apps, you can choose the network profile within the Allow An App Or Feature Through Windows Defender Firewall dialog box. There are two options for each app: Private and Public.

You can also configure Windows Defender Firewall by using either the command-line tool Netsh.exe or by using Windows PowerShell. For example, to configure an app exception in Windows Defender Firewall with Netsh.exe, run the following command:

Click here to view code image

netsh firewall add allowedprogram C:Program Files (x86)MyAppMyApp.exe
"My Application" ENABLE

There are a significant number of Windows PowerShell cmdlets that you can use to configure and control Windows Defender Firewall. For example, to allow a new app through the firewall, you can use the following command:

Click here to view code image

New-NetFirewallRule -DisplayName "Allow MyApp" -Direction Inbound -Program "C:Program
Files (x86)MyAppMyApp.exe" -RemoteAddress LocalSubnet -Action Allow

Configure Windows Defender Firewall with Advanced Security

Although you can configure a few options in the main Windows Defender Firewall window, you can perform more advanced firewall configurations by using the Windows Defender Firewall With Advanced Security management console snap-in, as shown in Figure 2-27. To access the snap-in, from Windows Defender Firewall, select the Advanced Settings link on the Firewall & Network Protection page within Windows Security or from the Windows Defender Firewall.

The Windows Defender Firewall With Advanced Security configuration is presented differently. Traffic flow is controlled by rules, and there is a Monitoring node for viewing the current status and behavior of configured rules.

Here are the options and terms you need to be familiar with:

• In the left pane, your selection determines which items appear in the middle and right panes:

  • Inbound Rules Lists all configured inbound rules and enables you to double-click any item in the list and reconfigure it as desired. Some app rules are predefined and can’t be modified, although they can be disabled. Explore the other nodes as time allows. You can also right-click Inbound Rules in the left pane and create your own custom rule. Rule types include Program, Port, Predefined, and Custom. They are detailed later in this section.

  • Outbound Rules Offers the same options as Inbound Rules, but these apply to outgoing data. You can also right-click Outbound Rules in the left pane and create your own custom rule.

• Connection Security Rules Connection security rules establish how computers must authenticate before any data can be sent. IP Security (IPsec) standards define how data is secured while it is in transit over a TCP/IP network, and you can require a connection to use this type of authentication before computers can send data. You’ll learn more about connection security rules in the next section.

  • Monitoring Offers information about the active firewall status, state, and general settings for both the private and public profile types.

• In the right pane, you’ll see the options that correspond to your selection in the left pane.

  • Import/Export/Restore/Diagnose/Repair Policies Enables you to manage the settings you’ve configured for your firewall. Policies use the .wfw extension.

  • New Rules Enables you to start the applicable Rule Wizard to create a new rule. You can also do this from the Action menu.

  • Filter By Enables you to filter rules by Domain Profile, Private Profile, or Public Profile. You can also filter by state: Enabled or Disabled. Use this to narrow the rules listed to only those you want to view.

  • View Enables you to customize how and what you view in the middle pane of the Windows Defender Firewall With Advanced Security window.

When you opt to create your own inbound or outbound rule, you can choose from four rule types. A wizard walks you through the process, and the process changes depending on the type of rule you want to create. The rules are as follows:

• Program A program rule sets firewall behavior for a specific program you choose or for all programs that match the rule properties you set. You can’t control apps, but you can configure traditional EXEs. Once you’ve selected the program for which to create the rule, you can allow the connection, allow the connection only if the connection is secure and has been authenticated using IPsec, or block the connection. You can also choose the profiles to which the rule will be applied (domain, private, or public) and name the rule.

• Port A port rule sets firewall behavior for TCP and UDP port types and specifies which ports are allowed or blocked. You can apply the rule to all ports or only ports you specify. As with other rules, you can allow the connection, allow the connection only if the connection is secured with IPsec, or block the connection. You can also choose the profiles to which the rule will be applied (domain, private, public) and name the rule.

• Predefined This sets firewall behavior for a program or service that you select from a list of rules that are already defined by Windows.

• Custom This is a rule you create from scratch, defining every aspect of the rule. Use this if the first three rule types don’t offer the kind of rule you need.

With Windows Defender Firewall With Advanced Security selected in the left pane and using the Overview section of the middle pane, select the Windows Defender Firewall Properties link to open the dialog box shown in Figure 2-28. Here, you can make changes to the firewall and the profiles, even if you aren’t connected to the type of network you want to configure.

In Figure 2-28, the Domain Profile tab is selected. If you want, you can configure the firewall to be turned off when connected to a domain network. Additionally, you can strengthen the settings for the Public Profile and customize settings for the Private Profile. Finally, you can customize IPsec defaults, exemptions, and tunnel authorization on the IPsec Settings tab. Make sure to explore all areas of this dialog box and research any terms with which you are not familiar.

Configure connection security rules with IPsec

By default, Windows 10 does not always encrypt or authenticate communications between computers (there are exceptions). However, you can use Windows Defender Firewall With Advanced Security connection security rules to apply authentication and encryption to network traffic in your organization.

You can use IPsec network data encryption to ensure confidentiality, integrity, and authentication in data transport across channels that are not secure. Though its original purpose was to secure traffic across public networks, many organizations have chosen to implement IPsec to address perceived weaknesses in their own private networks that might be susceptible to exploitation.

If you implement IPsec properly, it provides a private channel for sending and exchanging potentially sensitive or vulnerable data, whether it is email, FTP traffic, news feeds, partner and supply-chain data, medical records, or any other type of TCP/IP-based data. IPsec provides the following functionality:

• Offers mutual authentication before and during communications

• Forces both parties to identify themselves during the communication process

• Enables confidentiality through IP traffic encryption and digital-packet authentication

Connection security rules are used to force authentication between two peer computers before they can establish a connection and transmit secure information. To secure traffic with IPsec using a connection security rule, you must allow the traffic through the firewall by creating a firewall rule. Connection security rules do not apply to programs and services. Instead, they apply only between the computers that are the two endpoints.

Windows Defender Firewall with Advanced Security uses IPsec to enforce the following configurable rules:

• Isolation An isolation rule isolates computers by restricting connections based on credentials, such as domain membership or health status. Isolation rules allow you to implement an isolation strategy for servers or domains.

• Authentication Exemption You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by a specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway.

• Server-To-Server This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication that you want to use.

• Tunnel This rule enables you to protect connections between gateway computers. It is typically used when you are connecting across the internet between two security gateways.

• Custom There might be situations in which you cannot configure the authentication rules that you need by using the rules available in the New Connection Security Rule Wizard. However, you can use a custom rule to authenticate connections between two endpoints.

Create firewall rules

To create a rule, from within the Windows Defender Firewall With Advanced Security management console, first select the appropriate node and then select New Rule from the Actions pane. You can then complete the wizard to create your rule. As an example, to create a new inbound rule to enable network traffic for a program, perform the following procedure:

1. Select Inbound Rules and then select New Rule in the Actions pane.

2. On the Rule Type page, select Program and then select Next.

3. On the Program page, select This program path, browse and select the program executable, and then select Next.

4. On the Action page, choose Allow the connection and select Next.

5. On the Profile page, select which network location profiles are affected by the rule and select Next.

6. Provide a name and description for your rule and select Finish.

In addition to using the Windows Defender Firewall With Advanced Security management console, you can use the following Windows PowerShell cmdlets to configure and manage firewall settings and rules.

• Get-NetFirewallRule Displays a list of available firewall rules

• Enable-NetFirewallRule Enables an existing firewall rule

• Disable-NetFirewallRule Disables an existing firewall rule

• New-NetFirewallRule Creates a new firewall rule

• Set-NetFirewallRule Configures the properties of an existing firewall rule

Implement Encrypting File System

The built-in Encrypting File System (EFS) is a powerful method of restricting access to files within an NTFS environment. Although EFS has been available since Windows 2000, very few organizations routinely implement file- and folder-level encryption. Most organizations requiring encryption will choose to use BitLocker Drive Encryption, which encrypts complete drives.

Where EFS is utilized, most issues reported to the help desk relating to EFS often result from an overly enthusiastic member of staff encrypting some of their own files. By default, they have permission to encrypt their own files because they have the Creator Owner special identity.

The best way to ensure that EFS is not inadvertently used, potentially causing problems later, is to implement some or all of the following measures:

• Stand-alone computers that are not domain-joined should back up their encryption keys to ensure they can be used for recovery purposes later.

• Explain the (strict) usage criteria of EFS in the staff handbook/policy.

• Train IT staff on the use of EFS and the potential implications of unauthorized usage.

• Plan and document where EFS will be applied and who will apply it.

• Place sufficient restrictions across the domain to prevent unauthorized use of EFS.

• Implement an EFS Data Recovery Agent (DRA) so that if EFS is misused, then an administrator within the organization can recover any encrypted files.

• Implement employee-leaving procedures and scan for encrypted files to ensure all encrypted files are decrypted or ownership transferred.

• Disable, rather than delete, user accounts for a fixed time period in case the user account needs to be reactivated in order to remove EFS from corporate resources.

It’s necessary to ensure that selected users and members of IT departments appreciate that EFS is an extremely secure method of protecting files and that often this level of protection is not necessary. Only the original file owner who applied the encryption can access the file and remove the encryption.

If an organization does not have a DRA in place, one needs to be created as soon as possible. Doing so will enable subsequent files encrypted with EFS to be decrypted by the DRA, if needed.

The process for creating a DRA certificate in Windows 10 for a device that is not domain-joined can be performed using this procedure:

1. Open a PowerShell window or a command prompt window. (This does not require administrative privilege.)

2. Navigate to the location where you want to store your DRA certificate.

3. Type cipher /r: file name and press Enter.

4. Provide a password to protect the DRA certificate. (This can be null.)

To install the DRA so that a user can use it, follow these steps:

1. Sign in with the user credentials of the user for whom you want to create access to the DRA.

2. In the search box, type secpol.msc.

3. In the left pane of Local Security Policy, double-click Public Key Policies, right-click Encrypting File System, and then select Add Data Recovery Agent.

4. In the Add Recovery Agent Wizard, select Next.

5. Browse to the location of the DRA recovery certificate. (It will have a .cer file extension.)

6. Select the certificate, and then select Open.

7. When you are asked if you want to install the certificate, select Yes > Next > Finish.

8. In the right pane of Local Security Policy, scroll across and note that Intended Purposes for the certificate is set to File Recovery.

9. Open a command prompt window, and enter gpupdate to update Group Policy.

Once the DRA has been created, all EFS encrypted files can be recovered by the DRA.

The encrypted files that are already encrypted are not automatically updated when a DRA is created. Existing encrypted files cannot be recovered by the DRA unless they are opened and closed by the resource owner, which causes the DRA to update the file. To update all encrypted files on a local drive, you can enter cipher.exe /u in an elevated command prompt on the system containing the encrypted files.

Encrypt Files And Folders By Using Encrypting File System

When used with a Data Recovery Agent (DRA), Encrypting File System (EFS) is a very secure method to protect sensitive data by encrypting files and folders. Because EFS was first introduced in Windows 2000, EFS often suffers from being dismissed as being old or obsolete. Many people pass over EFS in favor of BitLocker Drive Encryption or BitLocker To Go. Don’t be fooled, though. EFS offers functionality that BitLocker does not, and despite EFS having been available for many years, it still offers an incredibly secure method of enterprise-grade encryption.

It is important to use EFS and a DRA together. Without a DRA available within your organization, you may never regain access to an EFS-encrypted resource. The DRA will help to recover data if the encryption key is deleted or if the machine has been lost or compromised.

EFS offers encryption at a file and a folder level, and it cannot be used to encrypt an entire hard disk. Instead, you would use BitLocker (covered later in this section) to encrypt an entire drive. Users can encrypt any file or folder they have created on an NTFS-formatted hard disk by right-clicking the resource and selecting Properties from the context menu that appears. In the Advanced Attributes dialog box (shown in Figure 2-29), select Encrypt Contents To Secure Data.

Encryption should not be used without prior planning and establishing some safeguards to secure the encryption keys that are used. EFS protects data from unauthorized access, and it is especially effective as a last line of defense from attacks, such as physical theft.

EFS uses Windows Public Key Infrastructure (PKI) and a fast encryption algorithm to protect files. The public and private keys generated during encryption ensure that only the user account that encrypted the file can decrypt it. Encrypted data can be decrypted only if the user’s personal encryption certificate is available, which is generated through the private key. Unless exported by the user, this key cannot be used by anyone else, and EFS prevents any access to the data. EFS will prevent attempts to copy or move encrypted data by anyone except users who have the proper credentials. If the user deletes their account or leaves the company, any encrypted resources will not be accessible, which could lead to data being lost. The only way to prevent data loss is to ensure that a DRA has previously been created so that an administrator can use the DRA to decrypt the resource.

Here are some key points you need to learn about EFS:

• The process of encryption and decryption happens behind the scenes and is not visible to users.

• Encryption occurs when you close files; decryption occurs when you open them.

• EFS is available only on NTFS volumes.

• EFS keys aren’t assigned to a computer; they are assigned to a specific user.

• If a hacker gains access to the user’s PC while the user is signed in, the hacker will be able to access and open EFS-protected files.

• The file owner can move or copy an EFS-protected file.

• You can’t use EFS and compression together; it’s one or the other.

• If the file owner moves an EFS-protected file to a volume that does not support EFS (such as FAT32), the file will be decrypted.

• Encrypted files and folders are no longer colored green in File Explorer; now they include a padlock icon on each file.

• EFS uses Advanced Encryption Standard (AES), which uses a 256-bit key algorithm, a credible industry standard of encryption.

• EFS is only available on Windows 10 Pro, Enterprise, and Education editions.

By default, any user can use EFS to encrypt any file for which they have ownership. Unless company policy requires EFS, you should consider disabling EFS with Group Policy until a DRA is created.

It is vital that a DRA be in place before EFS is enabled. Without a DRA, even an administrator is unable to recover EFS-protected files and folders. For the exam, you need to be able to configure a DRA using the command-line tool Cipher.exe.

Once you have created a DRA, you should update the encryption of each currently encrypted file to have the new DRA applied by using cipher /u. You can continue to encrypt your files and folders within File Explorer using the Encrypt Contents to Secure Data option shown previously in Figure 2-29.

Note DRA and EFS: The Sequence Is Important

Only encrypted files that are created after the DRA has been created can be recovered using the DRA.

Perform Backup And Recovery Of Efs-Protected Files

Built into Windows is a wizard for users who want to use EFS to create a file encryption certificate and key and back up these files. After you first encrypt files or folders, you will see the EFS pop-up notification in the notification area of the desktop asking you to back up your encryption key.

You can use the following steps to start the wizard and complete the process to configure an EFS certificate:

1. Open Control Panel and select User Accounts.

2. Select Manage your file encryption certificates to open the Encrypting File System Wizard.

3. Select Next. The wizard asks for your file encryption certificate; you can select your existing certificate, or you can create a new certificate.

4. Select Create a New Certificate, and then select Next.

5. On the Create A Certificate page, select Make a new self-signed certificate and store it on my computer and select Next.

6. Provide a backup location and password and select Next.

7. On the Update your previously encrypted files page, select All Logical Drives and select Next.

8. On the Your encrypted files have been updated page, select Close.

In addition to the Cipher.exe command-line tool, you can use the Certificates MMC (CertMgr.msc) to manage or back up your personal EFS certificate. You can also import your certificates to a new computer that doesn’t already contain your certificate. In the event of your certificate being lost, perhaps due to a failed computer or corrupted profile, you can import the DRA certificate onto a new computer, which would allow recovery of the encrypted files.

To import your EFS certificate into your personal certificate store via the Certificate Import Wizard, you should follow these steps:

1. Open Certificates MMC by entering CertMgr.msc into the search box.

2. Select the Personal folder.

3. Select Action > All Tasks > Import.

4. Work through the Certificate Import Wizard to import the PFX certificate.

Need More Review? Cipher.exe

For more information about Cipher.exe, refer to https://docs.microsoft.com/windows-server/administration/windows-commands/cipher.

Some common parameters used with the Cipher.exe command include:

• /c Displays information about an encrypted file

• /d Decrypts specified files and directories

• /s:<directory> Performs the specified operation on all subdirectories in the specified directory

• /u Updates all encrypted files on the local drives (useful if you need to update previously encrypted files with a new recovery certificate)

• /u /n Finds all encrypted files on a local drive

• /? Displays help

• /x Backs up the EFS certificate and keys to the specified file name

• /r:<FileName> Generates an EFS recovery agent key and certificate, based on the user account, and then writes them to a PFX file (Personal Information Exchange file, which contains a certificate and private key) and a CER file (Security Certificate file, which contains only the certificate)

After you have encrypted your first file or folder, Windows 10 will prompt you to make a backup of the EFS certificate and key, as shown in Figure 2-30. This reminder will appear in the notification area and it will reappear on a regular basis until you back up the EFS certificate and key or choose Never Back Up. You need to ensure you do take a backup and store it safely in a location separate from that of the files.

Understand BitLocker key protectors

BitLocker offers users several protection options. Administrators can choose which type of protection users should adopt to unlock a BitLocker-encrypted drive. BitLocker supports multifactor authentication for operating system drives, enabling you to require additional authentication, such as adding a smart card or a USB drive with a startup key on it or requiring a PIN on startup. These are called key protectors.

BitLocker offers multiple key protectors that can be used to unlock a protected system:

• TPM + startup PIN + startup key This is the most secure combination. The encryption key is stored on the TPM chip. The user might find this option cumbersome because it requires multiple authentication tasks.

• TPM + startup key The encryption key is stored on the TPM chip. The user needs to insert a USB flash drive that contains a startup key.

• TPM + startup PIN The encryption key is stored on the TPM chip. The user needs to enter a PIN to unlock the device.

• Startup key only The user needs to insert a USB flash drive with the startup key on it. The device doesn’t need to have a TPM chip. The BIOS must support access to the USB flash drive before the operating system loads.

• TPM only The encryption key is stored on the TPM chip, and no user action is required.

With all the BitLocker authentication methods, the drive is encrypted until unlocked. When the BitLocker encrypted drive is in recovery mode, you can also unlock the drive by using either the recovery password or recovery key:

• Recovery password This is a 48-digit number typed on a regular keyboard or by using the function keys (F1–F10) to input the numbers.

• Recovery key This is an encryption key created when BitLocker is first employed and is used for recovering data encrypted on a BitLocker volume. Often, the encryption key is stored on removable media.

Because the TPM chip together with BitLocker protects the hard drive, administrators can also configure BitLocker to operate without additional unlock steps; provided the device (and TPM) recognize the drive, it will be unlocked.

With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted, simply removing the drive from the PC and attaching it as a secondary drive in another PC allows the data to be read, which bypasses all NTFS security.

Enable BitLocker without a TPM

By default, a modern Windows device such as a Surface Pro will contain a TPM, and BitLocker Drive Encryption will be already enabled when shipped. When the user signs on to the device for the first time with a Microsoft account, the recovery key is saved to their Microsoft account.

If a TPM isn’t found, select Cancel on the BitLocker Drive Encryption and follow the displayed instructions to configure Require Additional Authentication At Startup GPO located in Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System Drives. Enable this GPO and select the Allow BitLocker Without A Compatible TPM check box, as shown in Figure 2-31.

A new GPO is included with Windows 10 and can be found at Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesConfigure Pre-boot Recovery Message And URL. This GPO enables administrators to configure a custom recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. This enables administrators to provide information to the user, such as help desk support contact information.

Configure BitLocker

If you want to use BitLocker to encrypt the operating system drive on a supported Windows 10 device, the drive must be formatted as NTFS. Perform these steps to encrypt the drive using BitLocker:

1. Launch Control Panel, select System and Security, and then select BitLocker Drive Encryption.

2. Select the operating system drive and select Turn on BitLocker. (If you receive an error that the device can use a TPM chip, either enable the TPM within the BIOS or Unified Extensible Firmware Interface (UEFI) settings or enable the Require additional authentication at startup Group Policy setting, which is referred to earlier in this section.)

3. On the BitLocker drive encryption setup page, select Next.

4. On the Preparing your drive for BitLocker page, if prompted, select Next. (If your system has a Windows Recovery Environment, this will need to be manually enabled and moved to the system drive after the drive is encrypted.)

5. If you are presented with a warning message regarding the Windows Recovery Environment, select Next.

6. Choose how to unlock your drive at startup. (Enter A Password is used in this example.)

7. Enter the password, reenter to confirm, and then select Next.

8. On the How do you want to back up your recovery key? page, select one of the options, then select Next and back up your key. (Optionally, you can choose to back up the key in a secondary location.)

9. On the Choose how much of your drive to encrypt page, select to encrypt either the used disk space or the entire drive and select Next.

10. On the Choose which encryption mode to use page, select either the newest encryption mode or the compatible mode and select Next.

11. On the Are you ready to encrypt this drive? page, choose to allow the option BitLocker system check to take place (default), or deselect the option and then select Continue.

12. Restart the PC, enter the BitLocker password, and allow the drive to be encrypted in the background. In the taskbar notification area, there should be an icon indicating that BitLocker Drive Encryption is in progress.

From within the BitLocker Drive Encryption page in Control Panel, you can review the BitLocker status and perform additional tasks, including suspending protection, backing up your recovery key, changing the BitLocker password, removing the password, and turning off BitLocker.

Configure BitLocker using command-line tools

Administrators can also manage BitLocker Drive Encryption using the command-line tool Manage-bde.exe or by using the command prompt, PowerShell, and WMI. Managing recovery keys is discussed later.

Several parameters can be used with the Manage-bde command to manage BitLocker, as listed in Table 2-11.

Windows 10 offers built-in support for BitLocker PowerShell cmdlets, as listed in Table 2-12. You can also use Get-help <BitLocker cmdlet>, such as Get-Help Enable-BitLocker -examples.

Using PowerShell, you can obtain very detailed information from systems, including status, key protectors used, encryption method, and type. If you run the Get-BitLockerVolume | format-list cmdlet to provide information about an encrypted drive without first unlocking the drive, the amount of information obtained will be restricted.

Upgrade a BitLocker-enabled computer

BitLocker is designed to protect your computer from preboot changes, such as updating the BIOS or UEFI. If you upgrade your computer, for example, with a BIOS firmware upgrade, this can cause the TPM to perceive it is under attack. In order to prevent Windows 10 from entering BitLocker recovery mode, you should take some precautions when upgrading a BitLocker-enabled computer. Before updating the BIOS, carry out the following steps:

1. Temporarily suspend BitLocker by opening the BitLocker Drive Encryption in Control Panel and selecting Suspend Protection on the operating system drive, which places it in disabled mode.

2. Upgrade the system or the BIOS.

3. BitLocker protection will be automatically turned back on following a reboot, but if this default behavior has been modified, you should turn BitLocker on again by opening BitLocker Drive Encryption in Control Panel and selecting Resume Protection on the operating system drive.

Forcing BitLocker into disabled mode keeps the data encrypted, with the volume master key encrypted with a clear key. The availability of this unencrypted key disables the data protection that BitLocker offers, but it ensures that the subsequent computer startup will succeed without further user input. After the BIOS upgrade, BitLocker is reenabled so that the unencrypted key is erased from the disk and BitLocker protection is functional again. The encryption key will be resealed with the new key that has been regenerated to incorporate new values of the measured components that may have changed during the system upgrade.

Move a BitLocker-encrypted drive to another computer

Moving a BitLocker-encrypted drive to another BitLocker-enabled computer requires that you turn off BitLocker temporarily (by using the Suspend Protection option). After the move is complete, you need to reenable BitLocker, which will then resume BitLocker protection.

The PowerShell command for suspending BitLocker encryption on the system drive is:

Click here to view code image

Suspend-BitLocker -MountPoint "C:"

Sometimes a system change can cause the BitLocker system integrity check on the operating system drive to fail. This prevents the TPM from releasing the BitLocker key to decrypt the protected operating system drive and requires the user to enter recovery mode. Examples of system changes that can result in a BitLocker system integrity check failure include:

• Moving the BitLocker-protected drive to a new computer

• Installing a new motherboard with a new TPM

• Turning off, disabling, or clearing the TPM

• Making changes to any boot configuration settings

• Making changes to the BIOS, UEFI firmware, master boot record, boot sector, boot manager, Optical ROM, or other early boot components or boot configuration data

When Windows 10 upgrades itself from one version to another, such as 1803 to 1809, there should be no issues with BitLocker because the system will automatically perform the suspend and resume actions during the process.

Configure startup key storage and recovery options

You know that without access to the encryption key contained in the TPM or stored in the startup key, you are unable to unlock a BitLocker-encrypted drive.

You should ensure that you’re familiar with BitLocker-related terminology:

• Recovery password and recovery key When you first configure BitLocker, it will create a recovery key and prompt you to store it safely. You’ll need to provide this recovery key if the TPM is unable to validate that the drive hasn’t been tampered with or if the startup key, password, or PIN have not been supplied during boot time.

• Password A password or passphrase is created to protect fixed, removable, and operating system drives with or without a TPM. The password length can be set in Group Policy and can consist of eight to 255 characters.

• PIN When you use a TPM, you can configure BitLocker with a PIN that the user must type during the initial startup of the device to allow Windows 10 to start. The PIN can consist of between 4 to 20 digits, and the length can be set in the Configure Minimum PIN Length For Startup Group Policy setting.

• Enhanced PIN This enables administrators to force the use of a complex PIN, just like a password or passphrase (including spaces), by configuring the Allow Enhanced PINs For Startup GPO setting. This policy is applied when you turn on BitLocker and is configurable only for operating system drives.

• Startup key This is stored on a USB flash drive and can be used with or without a TPM. To use this method of unlock, the USB flash drive must be inserted every time the computer starts. The USB flash drive can be formatted by using NTFS, FAT, or FAT32.

• TPM Lockout By default, TPM 2.0 will lock the user out for two hours whenever the TPM is under attack. (TPM 1.2 lockout duration varied by manufacturer.)

Configure BitLocker To Go

A portable version of BitLocker, BitLocker To Go, is aimed at protecting removable USB devices and uses the same technology as BitLocker Drive Encryption, but it does not require use of a TPM. BitLocker To Go can protect flash drives, Secure Digital (SD) cards, and removable hard disks formatted with NTFS, FAT16, FAT32, or exFat file systems. BitLocker To Go is available for users with Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.

To create a BitLocker To Go drive, follow these steps:

1. Insert a removable drive.

2. Open Windows Explorer (though it may open automatically).

3. Right-click the removable drive and select Turn BitLocker on.

4. After the BitLocker Drive Encryption Wizard opens, choose how to unlock the drive and select Next.

5. On the How do you want to back up your recovery key? page, choose an option, and then once the password is saved, select Next.

6. On the Choose how much of your drive to encrypt page, select to encrypt either the used disk space or the entire drive and select Next.

7. On the Choose which encryption mode to use page, select either the newest encryption mode or the compatible mode and select Next.

8. On the Are you ready to encrypt this drive? page, select Start encrypting.

9. The encryption process will commence. Once the process is complete, you can close the wizard.

If the option to encrypt the drive is not available, you need to check that you are using a supported version of Windows and that the feature has not been disabled by Group Policy.

Once a removable drive has been encrypted, each time you insert the removable drive into a device, you will need to unlock it with one of the following methods:

• A recovery password or passphrase. (This complexity can be set within Group Policy.)

• A smart card.

• Select the option Always Auto-Unlock This Device On This PC.

The last option is useful for users who frequently use removable drives because it reduces the likelihood of frustration of entering the password every time they use their removable drives. If the removable drive is used on other devices once the user unlocks the removable drive, it can also be configured to auto-unlock if required.

Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. They are also able to change their own password for encrypted drives via BitLocker Drive Encryption in Control Panel. However, if a user loses or forgets the password for the data or removable drive, you need to have access to the BitLocker recovery key to recover the data and unlock the drive.

The following GPOs are available within the BitLocker To Go settings found at Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionRemovable Data Drives:

• Control use of BitLocker on removable drives.

• Configure use of smart cards on removable data drives.

• Deny Write access to removable drives not protected by BitLocker.

• Configure use of hardware-based encryption for removable data drives.

• Enforce drive-encryption type on removable data drives.

• Allow access to BitLocker-protected removable data drives from earlier versions of Windows.

• Configure use of passwords for removable data drives.

• Choose how BitLocker-protected removable data drives can be recovered.

Users of Windows 10 Home cannot encrypt removable data drives, but they can access BitLocker To Go–enabled data drives and have read-only access to the data, if they provide the correct recovery password, passphrase, or smart card.

Understand BitLocker and BitLocker To Go data recovery

You need to support users who have devices that will not boot into Windows because of BitLocker-related issues during boot time. There are several situations in which BitLocker will enter into BitLocker recovery mode because of a perceived threat to the system, such as one of the following:

• Repeatedly failing to provide the startup password.

• Changing the startup boot order to boot another drive in advance of the hard drive.

• Changing the NTFS partition table, such as creating, deleting, or resizing a primary partition.

• Entering the PIN incorrectly too many times so that the anti-hammering logic of the TPM is activated.

• Turning off, disabling, deactivating, or clearing the TPM.

• Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.

• Adding or removing hardware (for example, inserting a new motherboard or video card into the computer).

• You can also force a BitLocker-protected device into recovery mode by pressing the F8 or F10 key during the boot process.

When the device has entered the BitLocker recovery mode, you need to recover the drive by using one of these methods:

• Supply the 48-digit recovery password.

• Allow a domain administrator to obtain the recovery password from Active Directory.

• Allow an administrator to obtain the recovery password from Azure Active Directory.

• Run a script to reset the password, using PowerShell or VBScript, which uses the key package.

For stand-alone and small-business users, the BitLocker recovery key is stored in the user’s Microsoft account at https://onedrive.live.com/recoverykey. You will need to use the keyboard number or function keys to enter the number to unlock the drive. Once the operating system has started, users can then re-create a new startup key; otherwise, the BitLocker recovery mode will remain in place.

For corporate users, there are several settings that can be configured in Group Policy that will define the recovery methods that require Windows to save BitLocker recovery information to Active Directory. The GPOs found in the subfolders of Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption are as follows:

• Choose How Bitlocker-Protected Operating System Drives Can Be Recovered

• Choose How Bitlocker-Protected Fixed Drives Can Be Recovered

• Choose How Bitlocker-Protected Removable Drives Can Be Recovered

For each of these GPOs, you can also select the Do Not Enable BitLocker Until Recovery Information Is Stored In Active Directory check box to keep users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to Active Directory has succeeded.

Once BitLocker recovery information has been saved in Active Directory, the recovery information can be used to restore access to a BitLocker-protected drive by using the Manage-bde command-line tool introduced earlier.

In an Azure Active Directory environment, you can locate the BitLocker key within the Azure Active Directory Admin Center. Locate the device, and if the Windows 10 machine has been encrypted, you can use the BitLocker recovery key or provide it to the user to recover their device.

To view or copy the BitLocker keys within Azure Active Directory, you need to be the device owner or have one of the following roles assigned:

• Global Administrator

• Help Desk Administrator

• Security Administrator

• Security Reader

• Intune Service Administrator