DE v7.1 FAQ: Windows 8.1

Version 1

    General

     

    Q: What version of McAfee Drive Encryption (DE) will support Windows 8.1?

    DE v7.1 will be the first version of EEPC to support Windows 8.1

     

     

    Q: Will earlier versions of EEPC support Windows 8.1?

    No. Versions below DE v7.1 will not support Windows 8.1

     

     

    Q: But EEPC v7.0.x supported Windows 8.0. Why does it not support Windows 8.1?

    Only DE v7.1 has been tested with Windows 8.1.

     

     

    Q: Does DE v7.1 have any new features specifically for Windows 8.x?

    Yes there is functionality inserted to help harden systems against cold boot attacks. You can read more here: DE v7.1 FAQ: Hardening systems against cold boot attacks

     

    Also, there is a new method of AutoBoot called TPM AutoBoot. You can read more here: DE v7.1 FAQ: TPM AutoBoot

     

    Upgrading to Windows 8.1 with EEPC Enabled

     

    Q: Can I simply run the Microsoft Upgrade task to upgrade a Windows 8.0 system to Windows 8.1?

    No. Microsoft is using functionality that lays down a new WIM image and is essentially an OS Refresh Process and not a traditional upgrade or Service Pack upgrade.

     

     

    Q: But DE has a documented OS Refresh Process. Can I use that to upgrade from Windows 8.0 to Windows 8.1?

    Yes that is correct. You can use the documented OS Refresh process to perform the major OS Upgrade to Windows 8.1 and keep all of the existing data encrypted throughout the entire process!

     

     

    Q: Why do I need to use the DE OS Refresh Process when if I’m using BitLocker I can simply just upgrade the OS? Why do I need to do the extra work?

    In a short answer, security! BitLocker effectively leavesthe key in plain text, effectively the same as disabling encryption/security, behind the scenes during the whole process leaving your data open for theft. 

     

    Worst still, a rogue Admin could put a Trojan into the upgrade process that can now capture the key to this disk (and essentially all other disks) and store it for later use/abuse.

     

     

    Q: Ok, explain that a bit more technically?

    When Microsoft states the process they call the Suspend-BitLocker cmdlet. This suspends Bitlocker encryption, allowing users to access encrypted data on a volume that uses BitLocker Drive Encryption. This cmdlet makes the encryption key available in the clear, thus leaving the data unprotected.

     

    They then go on to create a hidden directory called “c:\$Windows.~<uniquename>” and use to host the sector chain etc. At the next step they call their WinPE environment and since the WinPE has the key they are able to execute the necessary WIM overlay options while keeping the sectors that hold the user applications marked as used.

     

    Finally once the Refresh process is at the end, they make the files visible and revert the Suspend-Bitlocker setting the encryption back to what it was before.

     

     

    Q: So does that mean that if the system was stolen while it was in this upgrade state that anyone would have access to all of the data on the disk?

    Yes. This is the essential security flaw in this upgrade process with BitLocker.

     

     

    Q: All of that soundsvery similar to the DE OS Refresh Process?

    Yes in fact at a high level they are very similar, with the one exception that with the EEPC OS Refresh Process the encryption key is never exposed; nor is the data left in a manner where 3rd parties can access it.

     

    Device Encryption

     

    Q: Microsoft has talked about a new feature called Device Encryption. What is it?

    Device Encryption can be considered a cut down, non-managed,version of BitLocker.

     

     

    Q: Will Device Encryption be automatically enabled?

    Windows 8.1 will automatically enable Device Encryption if the hardware matches or exceeds its minimum hardware requirements.

     

     

    Q: What are the Device Encryption minimum requirements?

    Microsoft officially defines its minimum requirements but a tthe time of publication of this FAQ Microsoft was listing the following minimum requirements:

    • Requires Support for the Secure Boot feature, which implies both UEFI support and 64-bit Windows.
    • Requires Trusted Platform Module (specifically a minimum of TPM 2.0)
    • Hardware and firmware support for Windows’ Connected Standby feature.
      • Connected Standby comes with its own set of hardware requirements, including
        • CPU Support for Connected Standby
        • A solid-state boot volume,
        • NDIS 6.30 support for all network interfaces,
        • Memory soldered to the motherboard
        • Etc.

     

     

    Q: Wow, that’s a whole list of minimum requirements. I guess that means that it will only work on the latest new hardware?

    Yes that is correct. Device Encryption has quite an extensive minimum requirements list. If you don’t have that minimum hardware, or essentially a brand new system then it won’t work.

     

     

    Q: So I guess that means it won’t automatically enable on my current/older hardware?

    Yes that is correct. If your system does not have theminimum hardware requirements, Device Encryption will not automatically enable.

     

     

    Q: There is even CPU specific support required for Device Encryption?

    Yes. The Connected Standby feature is probably the most restrictive, since it requires support in the CPU silicon itself. Intel’s latest Haswell chips and its Clover Trail and Bay Trail Atom chips support Connected Standby. However, even the newer Haswell chips in most cases lack Connected Standby support.

     

     

    Q: If I upgrade a Windows 7, or Windows 8.0 system to Windows 8.1, will it automatically enable Device Encryption?

    If you are upgrading an existing system, it is highly likely that it does not meet the minimum hardware requirements and as such it won’t be automatically enabled. If you do meet the minimum hardware requirements, it will be enabled.

     

     

    Q: What happens if I deploy EEPC to a system that has Device Encryption automatically enabled?

    If your system meets the minimum hardware requirements for Device Encryption and it has been automatically enabled; and has encrypted the disk the following will happen:

    • Pre-activation checks will determine that BitLocker is active (Remember Device Encryption is simply a non-managed version of BitLocker)
    • DE Activation will fail because the disk is already encrypted with BitLocker
    • This status will be reported back to ePO

     

     

    Q: So in the above example it won’t “brick” the system?

    No it won’t.  It will detect that the disk is already encrypted; fail the EEPC activation, and report the information back to ePO.

     

     

    Q: What happens if I have a new system that meets the Device Encryption minimum hardware requirements, but have Windows 7 and EEPC installed. I then decide to upgrade to Windows 8.1. What happens in that scenario?

    Unless you have logged in with an MSDN account the system will not try to enable Device Encryption. If you have logged in with an MSDN account, it will brick the system.