deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5022 from MicrosoftDocs/master

Browse Source 
Publish 4/7/2021 10:30 AM PT
This commit is contained in:
Tina Burden 2021-04-07 10:35:31 -07:00 committed by GitHub
commit 176ce15ea6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 135 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/information-protection/TOC.md
View File

@ -7,8 +7,8 @@
#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md) #### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml) #### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml)
#### [Key management](bitlocker\bitlocker-key-management-faq.md) #### [Key management](bitlocker\bitlocker-key-management-faq.md)
#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md) #### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.yml)
#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md) #### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.yml)
#### [Security](bitlocker\bitlocker-security-faq.md) #### [Security](bitlocker\bitlocker-security-faq.md)
#### [BitLocker Network Unlock](bitlocker\bitlocker-network-unlock-faq.md) #### [BitLocker Network Unlock](bitlocker\bitlocker-network-unlock-faq.md)
#### [General](bitlocker\bitlocker-using-with-other-programs-faq.md) #### [General](bitlocker\bitlocker-using-with-other-programs-faq.md)

73
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
View File

@ -1,73 +0,0 @@
---
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker and Active Directory Domain Services (AD DS) FAQ
**Applies to**
- Windows 10
## What type of information is stored in AD DS?
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
## What if BitLocker is enabled on a computer before the computer has joined the domain?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
```PowerShell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
```
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
## If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
## What happens if the backup initially fails? Will BitLocker retry it?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.

83
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml Normal file
View File

@ -0,0 +1,83 @@
### YamlMime:FAQ
metadata:
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
What type of information is stored in AD DS?
answer: |
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
- question: |
What if BitLocker is enabled on a computer before the computer has joined the domain?
answer: |
If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
```PowerShell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
```
> [!IMPORTANT]
> Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
- question: |
Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
answer: |
Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
- question: |
If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
answer: |
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
- question: |
What happens if the backup initially fails? Will BitLocker retry it?
answer: |
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.

6
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -29,8 +29,8 @@ This topic links to frequently asked questions about BitLocker. BitLocker is a d
- [Upgrading](bitlocker-upgrading-faq.md) - [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml) - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.md) - [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.md) - [BitLocker To Go](bitlocker-to-go-faq.yml)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.md) - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- [Security](bitlocker-security-faq.md) - [Security](bitlocker-security-faq.md)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md) - [BitLocker Network Unlock](bitlocker-network-unlock-faq.md)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md) - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md)
@ -45,4 +45,4 @@ This topic links to frequently asked questions about BitLocker. BitLocker is a d
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps) - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)

37
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
View File

@ -1,37 +0,0 @@
---
title: BitLocker To Go FAQ (Windows 10)
description: "Learn more about BitLocker To Go: BitLocker drive encryption for removable drives."
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/10/2018
ms.custom: bitlocker
---
# BitLocker To Go FAQ
**Applies to**
- Windows 10
## What is BitLocker To Go?
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
- USB flash drives
- SD cards
- External hard disk drives
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.

41
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml Normal file
View File

@ -0,0 +1,41 @@
### YamlMime:FAQ
metadata:
title: BitLocker To Go FAQ (Windows 10)
description: "Learn more about BitLocker To Go"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/10/2018
ms.custom: bitlocker
title: BitLocker To Go FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: What is BitLocker To Go?
answer: |
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
- USB flash drives
- SD cards
- External hard disk drives
- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.

9
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -31,8 +31,9 @@ Windows 10 prompts you for a BitLocker recovery password. However, you did not c
The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue: The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.md#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) - [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.md)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
## The recovery password for a laptop was not backed up, and the laptop is locked ## The recovery password for a laptop was not backed up, and the laptop is locked
@ -201,9 +202,9 @@ To reset the PCR settings on the TPM, follow these steps:
You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
> [!IMPORTANT] > [!IMPORTANT]
> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: > TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values:
> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes. > - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. > - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection.
To suspend BitLocker while you install TPM or UEFI firmware updates: To suspend BitLocker while you install TPM or UEFI firmware updates: