BitLocker is a security feature that came with Windows Vista; it encrypts your hard drive. The intention is to protect the data from being stolen or falling into the wrong hands. The key to unlock the encrypted drive is well-protected by a Trusted Platform Module (TPM) that Windows owns and controls.
TPM is a cryptographic, tamper-resistant module. It stores biometric data, such as the new Windows Hello feature that allows you to sign in to Windows by using face or fingerprint. All these features are built in to Windows.
Regarding BitLocker, the 48-digit recovery key is securely placed in Active Directory attached to the Computer object, so it's easy to recognize.
Brute-force attacks have existed for several years and are easily explained as a process that simply tries to guess the user's password, pin code, or even biometric login.
How can you protect yourselves against brute force? And what has BitLocker to do with Windows Defender?
Windows 7 and lower started defending themselves against brute-force by slowing down the Windows login process after multiple incorrect attempts so that you would have to wait longer and longer every time, same as you would see on smartphones today.
With Windows 10, you have an even more powerful feature and an optional form of protection when the login information is integrated with TPM. If Windows detects an attack on Windows sign-in and BitLocker encryption is enabled, then Windows can actually restart the machine automatically. When it boots up again, it will enter BitLocker recovery state until recovery key fetched from Active Directory are entered. As this password is of 48 digits, it should be pretty hard to guess.
This brute-force feature in Windows 10 can be enabled with Group Policy in Computer Configuration | Windows Settings | Security Settings | Security Options.
Named: Interactive Login: Machine Account lockout threshold
Value: 5
Look at the following screenshot:
Group Policy setting for Windows 10 brute-force protection
The easy way to test if its working is to mistype your password five times, then Windows should restart automatically and you will need the BitLocker recovery key from Active Directory. Ensure that you have this information in advance because there is no way of getting back into the Windows or data any other way. That's the point with BitLocker, there is no backdoor.
Windows 10 has actually many new security features, and the production team constantly builds new features to meet today's and tomorrow's threats.
It can now actually protect against Man in the middle , where someone tries to reroute network communication between the user and the server, as well. Windows 10 now requires SMB signing and mutual authentication before allowing connection to Active Directory SYSVOL and Netlogon shares.
You actually need protection before Windows Defender is started as well, and that's where Windows Trusted Boot comes in verifying boot components and Early Launch Antimalware (ELAM).
If your computers have Unified Extensible Firmware Interface UEFI and Secure Boot Microsoft, strongly encourage customers to have these enabled by default. They also have security features built-in protecting the bootloaders digital signature to ensure that it has not been modified compared with its original digitally signed version. So, basically this protects against bootkits and rootkits.
With System Center Configuration Manager 1610, there will actually be a way to use Task Sequence to convert computers from BIOS to UEFI with the new Task Sequence Variable TSUEFI Drive.
Now with Windows 10, Windows Defender has got a new feature named Windows Defender Offline that you can initiate from within Windows Settings | Update & Security | Windows Defender as you see on the following screenshot:
Windows Defender settings in Windows 10
To run Windows Defender, on earlier version of Windows you had to create a boot media with something like Microsoft Diagnostics and Recovery Toolset (DaRT), to remove malware that somehow were a bit tricky to remove because of active processes.
However, if you are running BitLocker Encryption, you have to turn it off in advance to allow scanning offline. Now BitLocker has nothing to do with malware protection, it is only encryption, so it's not in any danger that way when turned off.
Following the same procedure as when you are to upgrade BIOS on the computer, you need to suspend BitLocker while upgrading. Otherwise, BitLocker would very easily fall into Recovery mode and require the recovery key.