Merge pull request #9955 from paolomatarazzo/pm-8513178-bitlocker

[BitLocker] - 24H2 - Additional recovery information screen
2025-05-13 05:47:23 +00:00 · 2024-06-24 13:49:27 -04:00 · 2024-06-24 13:49:27 -04:00 · 177816284c
commit 177816284c
parent c8032d1cd5 0f6eae63f0
15 changed files with 145 additions and 30 deletions
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@ -1,8 +1,8 @@
 ---
-title: BCD settings and BitLocker 
+title: BCD settings and BitLocker
 description: Learn how BCD settings are used by BitLocker.
 ms.topic: reference
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # Boot Configuration Data settings and BitLocker
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@ -2,7 +2,7 @@
 title: Configure BitLocker
 description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # Configure BitLocker
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@ -1,8 +1,8 @@
 ---
 title: BitLocker countermeasures
-description: Learn about technologies and features to protect against attacks on the BitLocker encryption key. 
+description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
 ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker countermeasures
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@ -2,7 +2,7 @@
 title: Protect cluster shared volumes and storage area networks with BitLocker
 description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@ -3,7 +3,7 @@ metadata:
  title: BitLocker FAQ
  description: Learn more about BitLocker by reviewing the frequently asked questions.
  ms.topic: faq
-  ms.date: 10/30/2023
+  ms.date: 06/18/2024
 title: BitLocker FAQ
 summary: Learn more about BitLocker by reviewing the frequently asked questions.
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional-recovery-information.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional-recovery-information.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-additional.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@ -2,7 +2,7 @@
 title: BitLocker overview
 description: Learn about BitLocker practical applications and requirements.
 ms.topic: overview
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker overview
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@ -2,7 +2,7 @@
 title: Install BitLocker on Windows Server
 description: Learn how to install BitLocker on Windows Server.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@ -1,8 +1,8 @@
 ---
-title: Network Unlock 
+title: Network Unlock
 description: Learn how BitLocker Network Unlock works and how to configure it.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # Network Unlock
@ -255,7 +255,7 @@ The subnet policy configuration file must use a `[SUBNETS]` section to identify
 ```ini
 [SUBNETS]
 SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
-SUBNET2=10.185.252.200/28 
+SUBNET2=10.185.252.200/28
 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
 SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
 ```
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@ -2,7 +2,7 @@
 title: BitLocker operations guide
 description: Learn how to use different tools to manage and operate BitLocker.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker operations guide
@ -239,7 +239,7 @@ Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 **Example**: Use PowerShell to enable BitLocker with a TPM protector
 ```powershell
-Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
+Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
 ```
 **Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@ -2,7 +2,7 @@
 title: BitLocker planning guide
 description: Learn how to plan for a BitLocker deployment in your organization.
 ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker planning guide
--- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@ -2,14 +2,14 @@
 title: BitLocker preboot recovery screen
 description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
 ms.topic: concept-article
-ms.date: 10/30/2023
+ms.date: 06/19/2024
 ---
 # BitLocker preboot recovery screen
-During BitLocker recovery, the *preboot recovery screen* can display a custom recovery message, a custom recovery URL, and a few hints to help users finding where a key can be retrieved from.
+During BitLocker recovery, the *preboot recovery screen* is a critical touchpoint for users, offering a custom recovery message tailored to the organization's needs, a direct recovery URL for additional support, and strategic hints to assist users in locating their recovery key.
-This article describes the information displayed in the preboot recovery screen depending on configured policy settings and recovery keys status.
+This article delves into the various elements displayed on the preboot recovery screen, detailing how policy settings and the status of recovery keys influence the information presented. Whether it's a personalized message or practical guidance, the preboot recovery screen is designed to streamline the recovery process for users
 ## Default preboot recovery screen
@ -72,10 +72,10 @@ There are rules governing which hint is shown during the recovery (in the order
 :::row:::
  :::column span="2":::
    In this scenario, the recovery password is saved to a file
-    
+
    > [!IMPORTANT]
    > It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft account, Microsoft Entra ID or Active Directory backup.
-  
+
 :::column-end:::
  :::column span="2":::
  :::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-hint.png" border="false":::
@ -92,7 +92,7 @@ There are rules governing which hint is shown during the recovery (in the order
      - saved to Microsoft account
      - not printed
      - not saved to a file
-    
+
    **Result:** the hints for the custom URL and the Microsoft account (**https://aka.ms/myrecoverykey**) are displayed.
  :::column-end:::
  :::column span="2":::
@ -110,7 +110,7 @@ There are rules governing which hint is shown during the recovery (in the order
    - saved to Active Directory
    - not printed
    - not saved to a file
-    
+
    **Result:** only the custom URL is displayed.
  :::column-end:::
  :::column span="2":::
@ -129,7 +129,7 @@ There are rules governing which hint is shown during the recovery (in the order
    - saved to Microsoft Entra ID
    - printed
    - saved to file
-    
+
    **Result:** only the Microsoft account hint (**https://aka.ms/myrecoverykey**) is displayed.
  :::column-end:::
  :::column span="2":::
@ -149,12 +149,12 @@ There are rules governing which hint is shown during the recovery (in the order
    - saved to file
    - creation time: **1PM**
    - key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
-    
+
    The recovery password #2 is:
    - not backed up
    - creation time: **3PM**
    - key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
-    
+
    **Result:** only the hint for the successfully backed up key is displayed, even if it isn't the most recent key.
  :::column-end:::
  :::column span="2":::
@ -175,15 +175,130 @@ There are rules governing which hint is shown during the recovery (in the order
     - Saved to Microsoft Entra ID
     - creation time: **1PM**
     - key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
-    
+
    The recovery password #2 is:
      - Saved to Microsoft Entra ID
      - creation time: **3PM**
      - key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
-    
+
    **Result:** the Microsoft Entra ID hint (**https://aka.ms/aadrecoverykey**), which is the most recent key saved, is displayed.
  :::column-end:::
  :::column span="2":::
  :::image type="content" source="images/preboot-recovery-multiple-passwords-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the most recent key." lightbox="images/preboot-recovery-multiple-passwords-multiple-backups.png" border="false":::
  :::column-end:::
 :::row-end:::
 ## Additional recovery information screen
 Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen enhances the recovery error information. The recovery screen provides more detailed information about the nature of the recovery error, empowering users to better understand and address the issue.
 :::row:::
  :::column span="2":::
    Users have the option to review additional information about the recovery error by pressing the <Kbd>Alt</kbd> key.
  :::column-end:::
  :::column span="2":::
  :::image type="content" source="images/preboot-recovery-additional.png" alt-text="Screenshot of the BitLocker recovery screen highlighting the Alt keyboard button to access the recovery information screen." lightbox="images/preboot-recovery-additional.png" border="false":::
  :::column-end:::
 :::row-end:::
 :::row:::
  :::column span="2":::
    The **Additional recovery information** screen contains an *error category* and a *code*, which you can use to retrieve more details from the next section of this article.
  :::column-end:::
  :::column span="2":::
  :::image type="content" source="images/preboot-recovery-additional-recovery-information.png" alt-text="Screenshot of the BitLocker recovery information screen." lightbox="images/preboot-recovery-additional-recovery-information.png" border="false":::
  :::column-end:::
 :::row-end:::
 The next sections describe the codes for each BitLocker error category. Within each section there's a table with the error message displayed on the recovery screen, and the cause of the error. Some tables include possible resolution.
 The error categories are:
 - [Initiated by user](#initiated-by-user)
 - [Code integrity](#code-integrity)
 - [Device lockout](#device-lockout)
 - [Boot configuration](#boot-configuration)
 - [TPM](#tpm)
 - [Protector](#protector)
 - [Unknown](#unknown)
 ### Initiated by user
 | Error code | Error cause | Resolution|
 |-|-|-|
 |`E_FVE_USER_REQUESTED_RECOVERY`|The user explicitly entered recovery mode from a screen with the option to `ESC` to recovery mode.||
 |`E_FVE_BOOT_DEBUG_ENABLED`|Boot debugging mode is enabled. |Remove the boot debugging option from the boot configuration database.|
 ### Code integrity
 Driver signature enforcement is used to ensure code integrity of the operating system.
 | Error code | Error cause |
 |-|-|
 |`E_FVE_CI_DISABLED`|Driver signature enforcement is disabled.|
 ### Device lockout
 Device lockout threshold functionality allows an administrator to configure Windows sign in with BitLocker protection. After the configured number of failed Windows sign in attempts, the device reboots and can only be recovered by providing a BitLocker recovery method.
 To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
 | Error code | Error cause | Resolution|
 |-|-|-|
 |`E_FVE_DEVICE_LOCKEDOUT`|Device lockout triggered due to too many incorrect sign in attempts.|A BitLocker recovery method is required to return to the sign in screen.|
 |`E_FVE_DEVICE_LOCKOUT_MISMATCH`|The device lockout counter is out of sync. |A BitLocker recovery method is required to return to the sign in screen.|
 ### Boot configuration
 The *Boot Configuration Database (BCD)* contains critical information for the Windows boot environment.
 | Error code | Error cause | Resolution|
 |-|-|-|
 |`E_FVE_BAD_CODE_ID`<br><br>`E_FVE_BAD_CODE_OPTION`|BitLocker entered recovery mode because a boot application changed.<br>BitLocker tracks the data inside the BCD and BitLocker recovery can occur when this data changes without warning. <br><br>Refer to the recovery screen to find the boot application that changed.|To remediate this issue, restore the BCD configuration. A BitLocker recovery method is required to unlock the device if the BCD configuration can't be restored before booting.|
 For more information, see [Boot Configuration Data settings and BitLocker](bcd-settings-and-bitlocker.md).
 ### TPM
 The Trusted Platform Module (TPM) is cryptographic hardware or firmware used to secure a device. BitLocker creates a *TPM protector* to manage protection of the encryption keys used to encrypt your data.
 At boot, BitLocker attempts to communicate with the TPM to unlock the device and access your data.
 | Error code | Error cause |
 |-|-|
 |`E_FVE_TPM_DISABLED` | A TPM is present but is disabled for use before or during boot.|
 |`E_FVE_TPM_INVALIDATED` | A TPM is present but invalidated.|
 |`E_FVE_BAD_SRK` | The TPM's internal Storage Root Key is corrupted.|
 |`E_FVE_TPM_NOT_DETECTED` | The booting system doesn't have or doesn't detect a TPM.|
 |`E_MATCHING_PCRS_TPM_FAILURE`| The TPM unexpectedly failed when unsealing the encryption key.|
 |`E_FVE_TPM_FAILURE` | Catch-all for other TPM errors.|
 For more information, see [Trusted Platform Module Technology Overview](../../../hardware-security/tpm/trusted-platform-module-overview.md) and [BitLocker and TPM](index.md#bitlocker-and-tpm).
 ### Protector
 #### TPM protectors
 The TPM contains multiple Platform Configuration Registers (PCRs) that can be used in the validation profile of the BitLocker TPM protector. The PCRs are used to validate the integrity of the boot process, that is, that the boot configuration and boot flow hasn't been tampered with.
 BitLocker recovery can be the result of unexpected changes in the PCRs used in the TPM protector validation profile. Changes to PCRs not used in the TPM protector profile don't influence BitLocker.
 | Error code | Error cause |Resolution|
 |-|-|
 |`E_FVE_PCR_MISMATCH`|The device's configuration changed. <br><br>Possible causes include:<br>- A bootable media is inserted. Removing it and restarting your device might fix this problem<br>- A firmware update was applied without updating the TPM protector| A recovery method is required to unlock the device.|
 For more examples, see [BitLocker recovery scenarios](recovery-overview.md#bitlocker-recovery-scenarios).
 #### Special cases for PCR 7
 If the TPM protector uses PCR 7 in the validation profile, BitLocker expects PCR 7 to measure a specific set of events for Secure Boot. These measurements are defined in the UEFI spec. For more information, see [Static Root of Trust Measurements](/previous-versions/windows/hardware/hck/jj923068(v=vs.85)#appendix-a-static-root-of-trust-measurements)
 | Error code | Error cause |Resolution|
 |-|-|-|
 |`E_FVE_SECUREBOOT_DISABLED`|Secure Boot has been disabled. To access the encryption key and unlock your device, BitLocker expects Secure Boot to be on. | Re-enabling Secure Boot and rebooting the system might fix the recovery issue. Otherwise, a recovery method is required to access the device.|
 |`E_FVE_SECUREBOOT_CHANGED`|The Secure Boot configuration unexpectedly changed. The boot configuration measured in PCR 7 changed. <br>This may be either because of:<br>- An additional measurement currently present that wasn't present when BitLocker updated the TPM protector<br>- A missing measurement that was present when BitLocker last updated the TPM protector but now isn't present<br>- An expected event has a different measurement | A recovery method is required to unlock the device.|
 ### Unknown
 | Error code | Error cause | Resolution|
 |-|-|-|
 |`E_FVE_RECOVERY_ERROR_UNKNOWN`| BitLocker entered recovery mode because of an unknown error. | A recovery method is required to unlock the device.|
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@ -2,7 +2,7 @@
 title: BitLocker recovery overview
 description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker recovery overview
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@ -2,7 +2,7 @@
 title: BitLocker recovery process
 description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 06/18/2024
 ---
 # BitLocker recovery process
@ -83,7 +83,7 @@ function Get-EntraBitLockerKeys{
        foreach ($keyId in $keyIds) {
          $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
          Write-Host -ForegroundColor White " Key id: $keyid"
-          Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" 
+          Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
        }
        } else {
        Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"