diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md index 885e4211f1..07a6248c49 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md @@ -44,3 +44,78 @@ The recovery password and be invalidated and reset in two ways: > [!WARNING] > The braces `{}` must be included in the ID string. + + +## Example: retrieve the BitLocker recovery password protector for the OS volume + +```PowerShell +(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword +``` + +## Example: add a BitLocker recovery password protector for the OS volume + +```PowerShell +Add-BitLockerKeyProtector -MountPoint -mountpoint $env:SystemDrive -RecoveryPasswordProtector +``` + +## Example: Remove a BitLocker key protector + +```PowerShell +Remove-BitLockerKeyProtector -MountPoint C: -KeyProtectorId "{GUID}" +``` + +## Backup a recovery password + +```PowerShell +(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword +BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{GUID}" +``` + +## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device + +``` PowerShell +function Get-EntraBitLockerKeys{ + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")] + [string]$DeviceName + ) + $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId + if ($DeviceID){ + $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id + if ($keyIds) { + Write-Host -ForegroundColor Yellow "Device name: $devicename" + foreach ($keyId in $keyIds) { + $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key + Write-Host -ForegroundColor White " Key id: $keyid" + Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" + } + } else { + Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName" + } + } else { + Write-Host -ForegroundColor Red "Device $DeviceName not found" + } +} + +Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force +Import-Module Microsoft.Graph.Identity.SignIns +Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome +``` + +### Output example + +``` PowerShell +PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI +Device name: DESKTOP-53O32QI + Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4 + BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579 + Key id: 045219ec-a53b-41ae-b310-08ec883aaedd + BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773 + Key id: 69622eba-9068-449d-bc94-53e375cf5d58 + BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236 + Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec + BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893 + Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4 + BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 +``` diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md index 113803d374..0508673a83 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md @@ -61,52 +61,3 @@ For a complete list of the `repair-bde.exe` options, see the [Repair-bde referen By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). --> - -## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device - -``` PowerShell -function Get-EntraBitLockerKeys{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")] - [string]$DeviceName - ) - $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId - if ($DeviceID){ - $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id - if ($keyIds) { - Write-Host -ForegroundColor Yellow "Device name: $devicename" - foreach ($keyId in $keyIds) { - $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key - Write-Host -ForegroundColor White " Key id: $keyid" - Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" - } - } else { - Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName" - } - } else { - Write-Host -ForegroundColor Red "Device $DeviceName not found" - } -} - -Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force -Import-Module Microsoft.Graph.Identity.SignIns -Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome -``` - -### Output example - -``` PowerShell -PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI -Device name: DESKTOP-53O32QI - Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4 - BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579 - Key id: 045219ec-a53b-41ae-b310-08ec883aaedd - BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773 - Key id: 69622eba-9068-449d-bc94-53e375cf5d58 - BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236 - Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec - BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893 - Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4 - BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 -``` \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md index 92b891f80d..24143d6045 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md @@ -12,7 +12,7 @@ ms.date: 09/29/2023 During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. -### Custom recovery message +## Custom recovery message :::row::: :::column span="3"::: @@ -25,7 +25,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few For more information, see [Configure preboot recovery message and URL](policy-settings.md?tabs=os#configure-preboot-recovery-message-and-url). -### BitLocker recovery key hints +## BitLocker recovery key hints :::row::: :::column span="3"::: @@ -51,37 +51,26 @@ There are rules governing which hint is shown during the recovery (in the order 1. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, **Contact your organization's help desk**, is displayed 1. If two recovery keys are present on the disk, but only one was successfully backed up, the system asks for a key that was backed up, even if another key is newer -#### Example 1 (single recovery key with single backup) +### Example: single recovery key for Microsoft account and single backup :::row::: :::column span="3"::: -| Custom URL | Yes | -|----------------------------|-----| -| Saved to Microsoft Account | Yes | -| Saved to Azure AD | No | -| Saved to Active Directory | No | -| Printed | No | -| Saved to file | No | -**Result:** The hints for the Microsoft account and custom URL are displayed. + +In this scenario, the following options are configured: + +- Custom URL +- Recovery password: saved to Microsoft Account + - not printed + - not saved to file + :::column-end::: :::column span="1"::: + **Result:** The hints for the Microsoft account and custom URL are displayed: :::image type="content" source="images/rp-example1.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/rp-example1.png"::: :::column-end::: :::row-end::: -| Custom URL | Yes | -|----------------------------|-----| -| Saved to Microsoft Account | Yes | -| Saved to Azure AD | No | -| Saved to Active Directory | No | -| Printed | No | -| Saved to file | No | - -**Result:** The hints for the Microsoft account and custom URL are displayed. - -![Example 1 of Customized BitLocker recovery screen.](images/rp-example1.png) - -#### Example 2 (single recovery key with single backup) +### Example: single recovery key in AD DS and single backup | Custom URL | Yes | |----------------------------|-----| diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md index 322c07dbd6..d7a8008b7c 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md @@ -43,3 +43,4 @@ The following procedures describe the most common tasks performed by using the B 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password** 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search** 1. Once the recovery password is located, you can use the previous procedure to copy it + diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 3315c44c71..ae04c18ec7 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -17,8 +17,8 @@ items: href: network-unlock.md - name: Cluster shared volumes and storage area networks href: csv-san.md - - name: BitLocker operations guide - href: operations-guide.md +- name: BitLocker operations guide + href: operations-guide.md - name: BitLocker recovery guide items: - name: Overview of BitLocker recovery methods