Q: How can turn on or off Windows 8.1 Device Encryption? Is it turned on by default? Can we control Device Encryption centrally using GPO settings?
A: If you have performed a clean install of Windows 8.1, Device Encryption is turned on by default. If you have upgraded your system from a previous Windows installation, you can turn device encryption on by using PC info.
To open PC Info point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings. In the Device Encryption section, you can then select Turn On or Turn Off.
Organizations that do want to use Device Encryption at all can control its behavior on their Windows 8.1 systems using the PreventDeviceEncryption registry setting. This setting is located in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker registry container and must be set to value 1 (True) to block Device Encryption. You can use a Group Policy Object (GPO) to modify it on all your Windows 8.1 systems.
Jan De Clercq is a member of HP’s Technology Consulting IT Assurance Portfolio team. He focuses on cloud security, identity and access management, architecture for Microsoft-rooted IT infrastructures, and the security of Microsoft products. He's the author of Windows Server 2003 Security Infrastructures (Digital Press) and coauthor of Microsoft Windows Security Fundamentals (Digital Press) and Cloud Computing Protected: Security Assessment Handbook (Recursive Press). You can reach him at [email protected]