This works similarly to the Windows 8 Pro Pack. From within Windows 10 itself, you have the option of paying Microsoft another $99. If you do, your Windows 10 Home system will be upgraded to a Windows 10 Professional system with no Windows reinstall required. All the extra features in Windows 10 Professional will be unlocked. With Windows 8.1, this was also sold as a physical card with a code on it, so you can probably buy it in stores, too. Unsurprisingly, most of the features included here are intended for businesses and power users in general. Microsoft called the base edition of Windows 8 “Windows 8” and the Professional version “Windows 8 Professional.” With Windows 10, they’re back to “Windows 10 Home” and “Windows 10 Professional,” which is certainly clearer.

Microsoft is no longer offering Windows Media Center as a paid upgrade — that’s discontinued. Media Center devotees will want to stick with older versions of Windows. Assigned Access 8.1. Is still restricted to the Professional version of Windows, so you’ll need to pay up if you want to use the most powerful and integrated disk-encryption tool on Windows. BitLocker allows you to encrypt internal drives and external USB drives.

You can even. The is similar — powerful encryption features aren’t offered in the Home edition. The Home edition does offer, which is automatically enabled on new PCs. However, it doesn’t provide many options — Device Encryption only works if you sign in with a Microsoft account on a new PC with the appropriate hardware. Business Store and Private Catalog With Windows 10, businesses can create a private section of the Windows 10 Store for their organization. Users can browse the business’s private catalog and install apps specifically approved by their organization. Businesses can also buy Store apps in bulk and deploy them to their own devices.

This requires at least the Professional edition of Windows 10. Current Branch for Business. And delay installing feature updates. Microsoft wants those Windows systems to be always up-to-date. Windows 10 Home users aren’t able to put off installing feature updates at all. Windows 10 Professional users can put off installing these updates by being on the “Current branch for business,” a more conservative approach to updates.

By the time these systems get Windows 10 updates, they will have been beta-tested by millions of Windows 10 Home users. By default, Windows 10 Professional still uses the faster approach to updates. Domain Join, Group Policy, and Microsoft Azure Active Directory Join. If you want to join a domain or manage your PC via group policy, these will continue to require the Professional edition of Windows.

Generally, these are only features used on business networks, not on your home network. However, the Local Group Policy Editor will remain off-limits to you and you won’t be able to tweak on a Home version of Windows 10, just as on previous editions of Windows. Organizations using Microsoft’s Azure AD service can have their Windows 10 devices sign directly into Azure active directory rather than signing in with a Microsoft account or a traditional Windows domain with a local server. This requires the employee choose the “This device belongs to my organization” option during the set-up process and sign in with their Azure AD credentials.

Enterprise Data Protection Enterprise Data Protection (EDP) is a new feature in Windows 10. For devices containing both personal data belonging to an employee and work data belonging to an organization, EDP allows businesses to mark specific universal apps as having privileged corporate data and protect it. That data can be separately encrypted and even remotely wiped without affecting the user’s own data. Enterprises can also audit and track the usage of this data.

BitLocker 101: Easy, Free Full Drive Encryption for Windows. If there’s something undeniable about the prevalence of mobile computing devices today, it’s that. Jan 12, 2016 Securing Windows 10 with BitLocker Drive. It’s available on Windows 10 Pro, Enterprise and Education. Insights into Windows 10 BitLocker Drive.

For example, an email app could be marked as containing sensitive email and the data protected and audited. If an employee quits, the organization can remotely wipe that email app of all data without touching the rest of the system. Enterprise Mode Internet Explorer. Internet Explorer 11 is still included in Windows 10, although is the default. Professional editions of Windows get, which essentially allows you to force Internet Explorer 11 to behave more like Internet Explorer 8. This is only really useful if you’re using ancient websites — usually internal business websites — that don’t work properly in modern browsers.

This option must first be enabled in group policy before you can access it. All editions of Windows 10 include Internet Explorer 11 for compatibility with older websites. This feature is just an extra perk. Like previous versions of Windows, Windows 10 Home offers a client for connecting to Remote Desktop servers, but not the Remote Desktop server itself. To using Windows 10’s built-in Remote Desktop feature, you’ll need Windows 10 Professional. However, there are many that don’t require Windows 10 Professional and are easier to set up.

Windows Update for Business This is a tool that allows network administrators to better control when Windows Update occurs on devices on their network. For example, they can set specific devices to perform updates first in a “wave” of updates that goes out.

They can configure maintenance windows to define exactly when updates should and should not occur — during normal business hours, for example. Peer-to-peer delivery of Windows Updates can occur over a business network between remote offices. The Enterprise and Education editions of Windows 10, although you can’t get them without a volume license. For example, they offer Windows To Go for installing and running Windows 10 from a USB flash drive and AppLocker for locking down the applications that can run on your computer.

Microsoft BitLocker Administration and Monitoring Microsoft BitLocker Administration and Monitoring (MBAM) provides enterprise management capabilities for BitLocker and BitLocker To Go. MBAM simplifies deployment and key recovery, provides centralized compliance monitoring and reporting, and minimizes the costs associated with provisioning and supporting encrypted drives. Explore the latest release: MBAM 2.5 Microsoft BitLocker Administration and Monitoring (MBAM) provides enterprise management capabilities for BitLocker and BitLocker To Go. MBAM simplifies deployment and key recovery, provides centralized compliance monitoring and reporting, and minimizes the costs associated with provisioning and supporting encrypted drives. • • • • Plan for deployment • • • • • • • • Deploy MBAM • • • • • • Find guidance for previous releases MBAM 2.0 • • • • MBAM 1.0 • • • • Watch demonstrations and tutorials • • • • • • Downloads • • • • Related sites • • • • •.

Editor’s note: The following post was written Office Servers and Services MVP as part of our Technical Tuesday series. Windows 10 includes several security features. Perhaps one of the most important features is BitLocker Drive Encryption, which provides data protection in case of a loss or stolen device. It also provides security for decommissioned computers.

BitLocker has been around for several years and can be used with Windows Vista, Windows 7 and Windows 8/8.1 operating systems. However, the focus of this article is on securing Windows 10 with BitLocker. BitLocker Drive Encryption is built into the Windows 10 operating system and uses Advanced Encryption Standard (AES) with configurable key lengths of either 128-bit (default) or 256-bit (configurable using Group Policy).

The idea behind the BitLocker Drive Encryption is that once you secure your drive, only you, or someone who has your password and recovery key, will be able to get to your data. Although this kind of protection provides enhanced security on mobile devices, such as laptops, there is no reason why you shouldn’t take advantage of BitLocker encryption on your desktop computers. NOTE: BitLocker is not available on Windows 10 Home edition. It’s available on Windows 10 Pro, Enterprise and Education editions. Unlike Encrypted File System (EFS) in previous Windows operating systems, BitLocker Drive Encryption encrypts your entire drive. This is much better than encrypting certain files or folders not only because of its ease but also because it offers a much higher level of security.

By encrypting the entire drive, you can rest assured that all the files on your encrypted partition are protected. In this article, I will share some insights into Windows 10 BitLocker Drive Encryption. I will walk you through step-by-step configuration of BitLocker on Windows 10 and also share some best practices.

BitLocker Requirements It is important to understand the following BitLocker requirements before you implement BitLocker on your computer. These requirements are fairly minimal and an average user is likely to easily implement them on his/her computer. Hardware TPM v1.2 Chip - If you have a computer that you purchased in the last few years, chances are that it includes a Trusted Platform Module (TPM) chip. This is common on most laptops these days. To properly secure your Windows computer with BitLocker, Microsoft recommends you use TPM version 1.2 or later. If you are not sure whether your computer has a TPM chip, type tpm.msc in the Windows search box to load TPM Console.

It will show you the TPM if it exists, otherwise you will see a message Compatible TPM cannot be found. Support for USB – Your computer must support booting from a USB flash drive. If you don’t have a TPM chip, you can still use BitLocker Drive Encryption with a USB flash drive. For example, if you have a Windows 10 desktop computer that doesn’t have a TPM chip, you can use the USB flash drive to save the BitLocker recovery key.

You will insert the flash drive when the computer is started or resumed from hibernation and it will unlock the computer for you. NOTE: BitLocker doesn’t support Dynamic Disks. Dynamic disks are very rare and if you don’t know what a dynamic disk is, chances are that you have not converted your Basic Disk to a Dynamic Disk. Software No Additional Software Required – BitLocker is integrated into the Windows operating system and therefore doesn’t require any additional software. Partitions Because pre-startup authentication and system integrity verification must take place on a partition other than the encrypted operating system drive, BitLocker requires that your computer has at least two partitions: • An operating system partition (usually drive C) that is formatted with NTFS.

• A system partition that is at least 350MB. This is where Windows stores files needed to load Windows at boot. The system partition must not be encrypted and should also be formatted with NTFS for computers that use BIOS firmware and with FAT32 for computers that use UEFI-based firmware. This drive is often hidden in Windows Explorer. You can configure one or more partitions for your data (drive D, E, etc.) and enable BitLocker on them. Administrative Access You must have local Administrative rights to manage BitLocker on the operating system and fixed data drives.

Standard users can only manage BitLocker on removable data drives. Encryption Overhead Unlike compression, which can cause a lot of disk fragmentation, BitLocker encryption doesn’t have the same impact on your computer. While there is some overhead due to encryption, it’s hardly a show stopper.

With the advancement in computer hardware over the years, the central processing unit (CPU), hard drive, memory, and other components work so efficiently that the encryption overhead is minimal (less than 10%) and most people are unlikely to notice it. At my company, we use BitLocker on our desktop workstations and laptops and we haven’t experienced any noticeable performance hit. The way I look at it, even if there is a small price to pay in terms of performance overhead, securing your data with encryption is well worth it. Step-by-Step Configuration Here are the step-by-step instructions on how to turn on and configure BitLocker on your Windows 10 computer. If you are running Windows 10 Home edition, you won’t have the option to use BitLocker. • Login to your Windows 10 computer.

• Right-click the Start button and select File Explorer. This was called Windows Explorer in previous Windows operating systems. • Right-click the hard drive that you want to encrypt, e.g.

Drive C where the operating system is installed, and select Turn on BitLocker. • If your computer doesn’t have a TPM chip you will see the following message. This device can’t use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes. • You can modify the local group policy to allow BitLocker to encrypt the operating system drive on this computer even if it doesn’t have a TPM. • In the Windows 10 Search box type gpedit.msc and press Enter to start the Local Group Policy Editor. • Go to Computer Configuration ->Administrative Templates ->Windows Components ->BitLocker Drive Encryption ->Operating System Drives and in the right-hand pane double-click Require additional authentication at startup.

• Check the Enabled radio button and make sure that the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) box is checked. Then click OK. • Go back to the File Explorer, right-click drive C and select Turn on BitLocker. • This time it will allow you to turn BitLocker on. You are given a choice to either Insert a USB flash drive or Enter a password. NOTE: If you use a password to unlock your BitLocker-protected operating system drive, you won’t be able to remotely access the computer using remote desktop protocol (RDP) if it is rebooted for some reason, e.g. Restarted after power outage.

• If you choose the option to insert a removable USB flash drive, it will save the startup key on the USB flash drive. This will be used to unlock the operating system drive after each reboot. NOTE: Unlike the recovery key, the startup key is not a text file. It has the file extension.BEK.

• If you select the option to enter a password, you will enter the password and confirm it. Make sure you use a long, secure pass phrase. This password will be required each time the computer is rebooted. • Next, you will be given several options for storing the recovery key.

You can back up the recovery key to one of the following locations. A) Save to your Microsoft Account. B) Save to a USB flash drive. C) Save to a file.

D) Print the recovery key. Convert Xls Enterprise Edition Serial Killer. • The easiest thing to do is to use the option Save to a file. The recovery key is a text file that can be opened in Notepad.

You can copy the recovery key later to a USB flash drive if there is a need, open the text file and print it, and copy it at multiple locations for back up purposes if you want. You can even type the key manually into Notepad, save it on a USB flash drive and use it to unlock the computer. There is nothing magical about the recovery key file. • After you have saved the recovery key to a file, click Next. • If you are setting up BitLocker on a new drive, you only need to encrypt the part of drive that is being used. When you add additional data, BitLocker will automatically encrypt that data.

You should select the first radio button Encrypt used disk space only (faster and best for new PCs and drives). However, if you have already been using your computer for a while, select the second option Encrypt entire drive (Slower but best for PCs and drives already in use). • Depending on the size of the hard drive and the amount of data, the encryption process can take a long time so be patient. It’s best to start this process at the end of the day when you are no longer going to use your computer until the next day.

Make sure the box Run BitLocker system check is checked and once you are ready, click Continue. • You will be prompted to restart the computer. If you are ready to reboot now, click Restart now or click Restart later if you are not quite ready yet.

• After the computer reboots, it will start encrypting the drive. You won’t see any progress bar but if you go to Manage BitLocker in Control Panel (Control Panel System and Security BitLocker Drive Encryption) you will see that BitLocker is encrypting the drive. • When the encryption is complete, you can see the status which shows that BitLocker is on for drive C.

Some of the management tasks for BitLocker include the ability to suspend protection, back up your recovery key, copy the startup key and turn off BitLocker. You will find more information on suspend protection later in this article.

• After enabling BitLocker for your operating system drive, you can turn on BitLocker for other drives, such as drive D. As far as BitLocker is concerned, the order that you encrypt the drives is not important. You can encrypt the data drive first and the then the operating system drive, or vice versa. When Would I Need the Recovery Key? There are several reasons that you may need your recovery key. Some, but not all, of the reasons include, updating of computer BIOS, losing the flash drive that contains your startup key when you have enabled the startup key authentication, changing the original TPM (e.g. Installing a new motherboard), moving your BitLocker drive to a new computer, or changing boot configuration settings.

If you want to upgrade the computer BIOS chip, you can temporarily disable (turn off) BitLocker, upgrade the BIOS and then enable BitLocker (turn on). BitLocker Best Practices When you implement BitLocker, it’s imperative that you follow the best practices and take computer security very seriously. For example, using BitLocker to encrypt the drive but a weak password to authentication to your computer will be a bad idea. Follow these best practices and guidelines to secure your computer that’s configured for BitLocker.

• If you encrypt your data drive but not the operating system, you need to ensure that your computer is physically secure. In addition, you need to make sure that you are using a strong password and preferably multi-factor authentication. • If during BitLocker configuration you save the recovery key on the local computer, make sure you copy the recovery key on a different computer. Otherwise, you may lock yourself out of your computer. • Have more than one recovery key for your computer and keep each key in a secure place other than the computer where it was generated. • Print out the recovery key on paper and store it in a safe location, like a safe deposit box at your bank. If there is a need, you can simply type the recovery key in Notepad and save it as a text file.

That’s your recovery key that can now be used on the computer where it was generated. • If you ever regenerate the recovery key, make sure you update all your backups. • Name your recovery key file so it is easy to recognize the computer to which it belongs because recovery keys are computer-specific. • Do not confuse a startup key from recovery key. They serve different purpose. Recovery key is a text file. • For computers that are configured to use a startup key on a USB flash drive when they are started, make sure that you have backed up the startup key to a safe location.

• If you have a laptop with docking station, configure the BIOS to make sure that the hard drive is listed first in the boot order whether the laptop is docked or undocked. • Before you upgrade Windows 7/8 to Windows 10, simply suspend BitLocker (refer to image in step 19), which won’t decrypt your drive.

Upgrade to Windows 10 and then click Resume Protection. • Use BitLocker to Go to encrypt removable drives, such as USB flash drives, external hard disks, SD cards, etc. Because they are more likely to be lost or stolen than the fixed drives. BitLocker in Business Environment In a domain environment, Active Directory Domain Services (AD DS) can be used to centrally manage the BitLocker keys.

In addition, you can also use Group Policies to not only backup BitLocker and TPM recovery information but also manage recovery passwords. If you are interested in planning and deploying BitLocker in a business environment, check out some of the Microsoft TechNet articles listed below. • • • • Conclusion BitLocker Drive Encryption is built into Windows 10 Pro, Enterprise and Education versions.

It offers an easy and secure way to protect your confidential data by encrypting your drives. BitLocker has very little performance overhead and you can encrypt not only your fixed drives but also the removable drives, such as USB external hard drives, USB flash drives, SD cards, etc. If you are interested in securing your data on your desktop computer or mobile devices, BitLocker is an excellent option. And best of all, you don’t even need to purchase any extra software or install an add-on. About the author Zubair is a Microsoft SharePoint MVP, a Microsoft Certified Trainer, and CEO of an IT training and consulting company in Seattle, WA. He holds more than 25 industry certifications including MCT, MCSE, MCSA, MCDST, MCITP, MCTS, MCP+I, CNA, A+, Network+, Security+, CTT+ and CIW. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, Web designer, author, technical editor, college instructor and public speaker.

Good observation, Paul but you should be aware that BitLocker also offers ‘automatically drive unlock’ as an option; you can check it or you can choose to enter a password every time you login to unlock the data drives. Sure, I am talking about other drives than C. This means that even if someone knows your BitLocker startup key AND your Windows account password, that someone will still need the third password to unlock the data drives. Now – this is very unlikely to happen For me is not very clear what happens when I move an encrypted drive from one computer to another. Since “Recovery keys are computer-specific” – I assume I will be able to unlock that drive using the initially set password but I won’t be able to use the recovery key in case I forget the password. Which means – it is recommended to generate a new recovery key on the new computer.

Requiring a USB if you don’t have TPM is highly annoying – especially on a laptop. Requiring a 350 MB System partition – when my computer has a 100 MB System partition – is a real showstopper. I’m not about to wipe my computer and re-partition.

Also, a 10% hit on performance may not matter with a new computer, but a 5-10 year old computer is often completely usable for most people until you start adding 10% performance drops. Something like a Truecrypt folder might be a better option – even though it’s stopped development. You also imply EFS is not part of Win 10, but it is. And if it’s important why does MS not allow Home users to have this feature? It doesn’t cost them anything – my guess is a computer running Home is too underpowered to take the 10% performance hit. @Yah, “ Truecrypt folder might be a better option – even though it’s stopped development.” I believe that VeraCrypt has picked up the TruCrypt technology and continued the development.

It looks and behave the same as TC. You can easily find its pages on Codeplex or sourceforge. I have been using it for a few years now. ================= Now regarding this article, in general: I’d rather use something like VeraCrypt than Bitlocker. VC doesn’t cripple you with hardware or OS silly requirements.

A major security problem has been ransomware. This is where some OS intelligence needs to be implemented to detect that a suspicious program is trying to encrypt the data files (documents, pictures, etc.), then it would prompt the operator for permission (before allowing that program to perform any mass action on data or system files), and with a verification code (sent to the mobile device), not Windows password because it might have already been compromised. Without discussing Intel’s Platform Trust Technology, this article is not as helpful as it could be. And from Intel’s.eu site – Intel® Platform Trust Technology (Intel® PTT) is a platform functionality for credential storage and key management used by Windows 8* and Windows® 10. Intel PTT supports BitLocker* for hard drive encryption and supports all Microsoft requirements for firmware Trusted Platform Module (fTPM) 2.0. It’s an integrated solution in the Intel® Management Engine for 4th Generation Intel® Core™ processors with ultra-low TDP (Thermal Display Power) platforms and later. Hi Zubair and thank you for your article.

I have just used bitlocker to encrypt all my internal hard drives. I would like to change the password on the operating system drive but the there is no option to do so, as shown under section 20 of your article, so how do you change the password? For clarify if I have automated the bitlocker for my internal hard drives, so I don’t have to enter the password every time I access a drive, and hence the hard drives are showing as BitLocker on, does that mean when I shut down the PC that the hard drive is not protected? Therefore, if the hard drive was taken out and connected to another PC, with the”BitLocker on” is the hard drive still encrypted?

I have a brand new Dell desktop with windows 10 pro 64 bit. I use External Hard drives for back up, all plug and play. I have never had a problem with my external hard drives or other computers. When I plugged in my external hard drive to the new computer to load and back up files, Bitlocker comes on and says my external drive is locked and wants the 48 digit key. The drive has never been locked, I have never used bitlocker and yet I can not access my backed up files because windows 10 pro says my drive is bitlocked. How do I get rid of bitlocker? Never have and never will use it, now it is keeping me from setting up my new computer and accessing my own backed up files!!!