T1025 Data from Removable Media Mappings

BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like UEFI Secure Boot (Intel BootGuard), and TPM (Intel PTT). Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.

BitLocker uses TPM (Intel PTT) to bind the volume encryption keys for full disk encryption (FDE), Intel AES-NI to accelerate the encryption/decryption process, and Intel BootGuard to ensure operating system components are not compromised during boot. BitLocker also can add pre-boot authentication (like PIN) to access the decryption keys used for FDE. BitLocker relies on Intel BootGuard and the TPM (Intel PTT) to ensure none of the boot components or the OS components are tampered with before releasing the BitLocker key. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker also uses Intel PTT to check integrity of early boot components, configuration data as well as OS components preventing attacks that perform modifications of those components. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like UEFI Secure Boot (Intel BootGuard), and TPM (Intel PTT). Windows 11 Personal Data Encryption (PDE) uses Intel PTT (TPM), Intel AES-NI, Intel BootGuard to ensure operating system components are not compromised until the Windows Sign-in screen at which point Windows Hello for Business is used in conjunction with Microsoft Entra to authenticate the user and open the container with the encryption keys used to secure the user's personal data. Bitlocker features are used to then encrypt or decrypt that data utilizing those keys. PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. PDE refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by PDE. When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content. PDE provides real-time protection against adversaries exfiltrating data at rest in removable media. In some cases, data is protected at rest until the user logs in, and is marked partial for such cases.