| Allow Secure Boot for integrity validation | Configures whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC’s pre-boot environment only loads digitally signed firmware. |
| Configure Windows SmartScreen | Manages the behavior of Windows SmartScreen. |
| Start Windows Explorer with ribbon minimized | This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. |
| Set Cost | Configures the cost of Wireless LAN connections on the local machine. If enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of these connections. (There are related policies, Set 3G Cost and Set 4G Cost, for cellular data connections.) |
| Turn off tile notifications | If enabled, apps and system features will not be able to update their tiles and tile badges in the Start screen. |
| Turn off toast notifications | If enabled, apps will not be able to raise toast notifications. (This policy does not affect taskbar notification balloons.) |
| Turn off toast notifications on the lock screen | If enabled, apps will not be able to raise toast notifications on the lock screen. |
Disk Encryption
Windows 8 supports a number of disk encryption technologies, which prevents thieves from accessing sensitive data should your computer be physically stolen: If the thief removes your hard drive and attaches it to a different computer, any encrypted files cannot be read even if the thief figures out a way to access the hard drive’s filesystem. There are two major technologies at play here: the older Encrypting File System, or EFS, and BitLocker, a more modern and easily managed system.
When files are copied or moved out of an encrypted folder, the encryption is retained unless you move them to a location where encryption is not supported, such as to another machine on your home network.
EFS, while still available in Windows 8, has been somewhat deprecated. It was created as a way to encrypt individual files or, more commonly, a folder. With the latter approach, encryption works for both new files as well as those that were present when the folder was encrypted. That is, as you add new files to the encrypted folder, those files are automatically encrypted.
To encrypt a folder with EFS, right-click it and choose Properties from the menu that appears. Then, in the Properties window that appears, click the Advanced button. In the Advanced Attributes window shown in Figure 14 -4, select the option titled Encrypt contents to secure data.
Figure 14-4: Encrypting an individual file or folder is easy and generally quite fast.
When you click OK (or Apply), you’ll be asked to make the change to the folder only (which includes all of its contained files) or to the folder and any of its subfolders and their contents. Windows will encrypt the appropriate items and immediately suggest that you back up your encryption certificate and key, which is required for recovery should you try to access the folder contents later via a different PC or future reinstall of Windows. Microsoft recommends backing these items up to removable media. But we’d go a step further and make copies in multiple places, including cloud storage like SkyDrive.
Encrypted folders are easily identified later: When you open an encrypted folder, you’ll see that all of the enclosed files have a green (rather than black) filename. This is a visual indicator that they’re encrypted.
BitLocker and BitLocker To Go
EFS is good for what it is, but it has a few limitations. First, it’s ponderous to encrypt an entire hard disk with this technology since it only works with individual folders and files; a set-it-and-forget-it whole-disk encryption makes more sense. And second, EFS only provides software-based encryption services. A technology that integrates with on-PC security chipsets would be far more difficult, impossible really, to crack. And finally, EFS encryption sticks with files as they travel around. It would be nice if the encryption was automatically removed if a file was copied or moved from an EFS-protected folder.
Enter BitLocker and its baby brother, BitLocker To Go. They’re both managed from the same control panel, but use slightly different technologies under the hood. From a usability perspective, BitLocker is used with fixed disks—those disks mounted inside your computer—while BitLocker To Go serves the needs of external, removable disks.
Like EFS, BitLocker enables you to encrypt data on your hard drive to protect it in the event of physical theft. But BitLocker offers a few unique twists:
• BitLocker is full-disk encryption, not per-file or folder encryption. If you enable BitLocker on a disk, it encrypts the entire hard disk, and all future files that are added to that drive are silently encrypted as well.
• BitLocker can also provide full-disk encryption services to both system and non-system partitions, so in addition to encrypting the entire hard disk on which Windows 8 is installed, you can encrypt any other partitions, too.
• BitLocker protects vital Windows system files during boot-up: If BitLocker discovers a security risk, such as a change to any startup files (which might indicate that the hard drive was stolen and placed in a different machine), it will lock the system until you enter your BitLocker recovery key or password (discussed shortly).
• BitLocker works in conjunction with Trusted Platform Module (TPM) security hardware in some PCs to provide a more secure solution than is possible with a software-only encryption routine. No hacker will defeat a BitLocker-protected hard disk.
