updates

windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md

@@ -44,3 +44,78 @@ The recovery password and be invalidated and reset in two ways:
 
     > [!WARNING]
     > The braces `{}` must be included in the ID string.
+
+
+## Example: retrieve the BitLocker recovery password protector for the OS volume
+
+```PowerShell
+(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
+```
+
+## Example: add a BitLocker recovery password protector for the OS volume
+
+```PowerShell
+Add-BitLockerKeyProtector -MountPoint -mountpoint $env:SystemDrive -RecoveryPasswordProtector
+```
+
+## Example: Remove a BitLocker key protector
+
+```PowerShell
+Remove-BitLockerKeyProtector -MountPoint C: -KeyProtectorId "{GUID}"
+```
+
+## Backup a recovery password
+
+```PowerShell
+(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
+BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{GUID}"
+```
+
+## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device
+
+``` PowerShell
+function Get-EntraBitLockerKeys{
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")]
+        [string]$DeviceName
+    )
+    $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId
+    if ($DeviceID){
+      $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id
+      if ($keyIds) {
+        Write-Host -ForegroundColor Yellow "Device name: $devicename"
+        foreach ($keyId in $keyIds) {
+          $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
+          Write-Host -ForegroundColor White " Key id: $keyid"
+          Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" 
+        }
+        } else {
+        Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
+      }
+    } else {
+        Write-Host -ForegroundColor Red "Device $DeviceName not found"
+    }
+}
+
+Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force
+Import-Module Microsoft.Graph.Identity.SignIns
+Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome
+```
+
+### Output example
+
+``` PowerShell
+PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI
+Device name: DESKTOP-53O32QI
+ Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4
+ BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579
+ Key id: 045219ec-a53b-41ae-b310-08ec883aaedd
+ BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773
+ Key id: 69622eba-9068-449d-bc94-53e375cf5d58
+ BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236
+ Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec
+ BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893
+ Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4
+ BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682
+```

windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md

@@ -61,52 +61,3 @@ For a complete list of the `repair-bde.exe` options, see the [Repair-bde referen
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
 -->
-
-## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device
-
-``` PowerShell
-function Get-EntraBitLockerKeys{
-    [CmdletBinding()]
-    param (
-        [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")]
-        [string]$DeviceName
-    )
-    $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId
-    if ($DeviceID){
-      $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id
-      if ($keyIds) {
-        Write-Host -ForegroundColor Yellow "Device name: $devicename"
-        foreach ($keyId in $keyIds) {
-          $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
-          Write-Host -ForegroundColor White " Key id: $keyid"
-          Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" 
-        }
-        } else {
-        Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"
-      }
-    } else {
-        Write-Host -ForegroundColor Red "Device $DeviceName not found"
-    }
-}
-
-Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force
-Import-Module Microsoft.Graph.Identity.SignIns
-Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome
-```
-
-### Output example
-
-``` PowerShell
-PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI
-Device name: DESKTOP-53O32QI
- Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4
- BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579
- Key id: 045219ec-a53b-41ae-b310-08ec883aaedd
- BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773
- Key id: 69622eba-9068-449d-bc94-53e375cf5d58
- BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236
- Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec
- BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893
- Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4
- BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682
-```

windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md

@@ -12,7 +12,7 @@ ms.date: 09/29/2023
 
 During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
 
-### Custom recovery message
+## Custom recovery message
 
 :::row:::
   :::column span="3":::
@@ -25,7 +25,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few
 
 For more information, see [Configure preboot recovery message and URL](policy-settings.md?tabs=os#configure-preboot-recovery-message-and-url).
 
-### BitLocker recovery key hints
+## BitLocker recovery key hints
 
 :::row:::
   :::column span="3":::
@@ -51,37 +51,26 @@ There are rules governing which hint is shown during the recovery (in the order
 1. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, **Contact your organization's help desk**, is displayed
 1. If two recovery keys are present on the disk, but only one was successfully backed up, the system asks for a key that was backed up, even if another key is newer
 
-#### Example 1 (single recovery key with single backup)
+### Example: single recovery key for Microsoft account and single backup
 
 :::row:::
   :::column span="3":::
-| Custom URL                 | Yes |
-|----------------------------|-----|
-| Saved to Microsoft Account | Yes |
-| Saved to Azure AD          | No  |
-| Saved to Active Directory  | No  |
-| Printed                    | No  |
-| Saved to file              | No  |
-**Result:** The hints for the Microsoft account and custom URL are displayed.
+
+In this scenario, the following options are configured:
+
+- Custom URL
+- Recovery password: saved to Microsoft Account
+  - not printed
+  - not saved to file  
+
   :::column-end:::
   :::column span="1":::
+  **Result:** The hints for the Microsoft account and custom URL are displayed:
   :::image type="content" source="images/rp-example1.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/rp-example1.png":::
   :::column-end:::
 :::row-end:::
 
-| Custom URL                 | Yes |
-|----------------------------|-----|
-| Saved to Microsoft Account | Yes |
-| Saved to Azure AD          | No  |
-| Saved to Active Directory  | No  |
-| Printed                    | No  |
-| Saved to file              | No  |
-
-**Result:** The hints for the Microsoft account and custom URL are displayed.
-
-![Example 1 of Customized BitLocker recovery screen.](images/rp-example1.png)
-
-#### Example 2 (single recovery key with single backup)
+### Example: single recovery key in AD DS and single backup
 
 | Custom URL                 | Yes |
 |----------------------------|-----|

windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md

@@ -43,3 +43,4 @@ The following procedures describe the most common tasks performed by using the B
 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password**
 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search**
 1. Once the recovery password is located, you can use the previous procedure to copy it
+

windows/security/operating-system-security/data-protection/bitlocker/toc.yml

@@ -17,8 +17,8 @@ items:
       href: network-unlock.md
     - name: Cluster shared volumes and storage area networks
       href: csv-san.md
-    - name: BitLocker operations guide
-      href: operations-guide.md
+- name: BitLocker operations guide
+  href: operations-guide.md
 - name: BitLocker recovery guide
   items:
     - name: Overview of BitLocker recovery methods