diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md index bb7883468e..8ff30ba745 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md @@ -54,7 +54,7 @@ To protect the BitLocker encryption key, BitLocker can use different types of *p | **Recovery password** | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. | | **TPM + Network Key** | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of OS volumes while maintaining multifactor authentication. This key protector can only be used with OS volumes. | | **Recovery key** | An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `.bek`. | -| **Data Recovery Agent** | Data recovery agents (DRA) are Active Directory security principals whose public key infrastructure (PKI) certificates are used as BitLocker key protector. DRAs can use their credentials to unlock drives using the private key of the certificate used as key protector.| +| **Data Recovery Agent** | Data recovery agents (DRAs) are accounts that are able to decrypt BitLocker-protected drives by using their certificates. Recovery of a BitLocker-protected drive can be accomplished by a data recovery agent that is configured with the proper certificate. | | **Active Directory user or group** | A protector that is based on an Active Directory user or group security identified (SID). Data drives are automatically unlocked when such users attempt to access them. | #### Support for devices without TPM @@ -188,7 +188,7 @@ For more information about how to configure Network unlock feature, see [Network ## BitLocker recovery -Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to BitLocker recovery, which are described in the [BitLocker recovery guide](recovery-guide). +Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to BitLocker recovery, which are described in the [BitLocker recovery guide](recovery-guide.md). ## Monitor BitLocker diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md index ad0a52543a..73393e8633 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md @@ -152,18 +152,33 @@ A file with a file name format of `BitLocker Key Package {}.KPG` is created > [!NOTE] > To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume. + +### Multiple recovery passwords + +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. + +To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. + +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. + + #### Data Recovery Agents DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs. -> [!NOTE] -> DRAs can be published in Active Directory, but not in Microsoft Entra ID. - To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required: -1. Create a DRA certificate, which must contain the *BitLocker Data Recovery Agent* OID `1.3.6.1.4.1.311.67.1.2` in the EKU extension +1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate. + 1. If a key usage attribute is present, it must be one of the following: + - `CERT_DATA_ENCIPHERMENT_KEY_USAGE` + - `CERT_KEY_AGREEMENT_KEY_USAGE` + -`CERT_KEY_ENCIPHERMENT_KEY_USAGE` + 1. If an enhanced key usage (EKU) attribute is present, it must be one of the following: + - As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1` + - Any EKU object identifier supported by your certification authority (CA) 1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption** -1. Configure the following policy setting, accourding to your organization's policy: [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) +1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device + 1. Configure the following policy settings to allow recovery using a DRA for each drive type: - [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index 14687fde8c..102ff6d5b8 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -39,27 +39,16 @@ The following list can be used as a template for creating a recovery process for | :ballot_box_with_check: | Recovery process step | Details | |--|--| -- | -| :black_square_button: | [Record the device name](#record-the-name-of-the-users-computer) |The name of the user's device can be used to locate the recovery password in Microsoft Entra ID or AD DS. If the user doesn't know the name of the device, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.| +| :black_square_button: | Record the device name |The name of the user's device can be used to locate the recovery password in Microsoft Entra ID or AD DS. If the user doesn't know the name of the device, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.| | :black_square_button: | Verify the user's identity |The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.| | :black_square_button: | Locate the recovery password |Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.| -| :black_square_button: | Gather information to determine why recovery occurred |Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).| -| Provide the user the recovery password | Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. | +| :black_square_button: | Root cause analysis |Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis| +| :black_square_button: | Provide the user the recovery password | Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. | +| :black_square_button: | Rotate the recovery key | | > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. - - - - -### Multiple recovery passwords - -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. - -To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. - -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. - ## Post-recovery tasks ### BitLocker recovery analysis @@ -140,7 +129,9 @@ Windows Recovery Environment (RE) can be used to recover access to a drive prote Windows RE also asks for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, asks for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. -## Retrieve Bitlocker recovery keys for a Microsoft Entra joined device + + +### Retrieve the recovery password from Microsoft Entra ID ``` PowerShell function Get-EntraBitLockerKeys{ @@ -183,7 +174,15 @@ Device name: DESKTOP-53O32QI BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773 ``` -## BitLocker Recovery Password Viewer +### Retrieve the recovery password from Active Directory + +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. + +To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. + +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. + +#### BitLocker Recovery Password Viewer BitLocker Recovery Password Viewer is an optional tool included with the *Remote Server Administration Tools (RSAT)*, and it's an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in. @@ -192,8 +191,6 @@ With BitLocker Recovery Password Viewer you can: - Check the Active Directory computer object's properties to retrieve the associated BitLocker recovery passwords - Search Active Directory for BitLocker recovery password across all the domains in the Active Directory forest. Passwords can also be searched by password identifier (ID) -### Requirements - To complete the procedures in this scenario, the following requirements must be met: - Domain administrator credentials @@ -202,28 +199,24 @@ To complete the procedures in this scenario, the following requirements must be The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. -### Install BitLocker Recovery Password Viewer - - -### View the recovery passwords for a computer object +##### View the recovery passwords for a computer object 1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located 1. Right-click the computer object and select **Properties** 1. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer -## Copy the recovery passwords for a computer object +##### Copy the recovery passwords for a computer object 1. Follow the steps in the previous procedure to view the BitLocker recovery passwords 1. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details** 1. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet -## Locate a recovery password by using a password ID +##### Locate a recovery password by using a password ID 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password** 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search** 1. Once the recovery password is located, you can use the previous procedure to copy it - ## Rotate keys >[!TIP] @@ -267,3 +260,34 @@ For a complete list of the `repair-bde.exe` options, see the [Repair-bde referen +### Microsoft Entra ID + + + +#### Data Recovery Agents + +To list data recovery agents configured for a BitLocker-protected drive, use the `manage-bde.exe` command, including certificate-based protectors. Example: + +```cmd +C:\>manage-bde.exe -protectors -get E: + +Volume E: [] +All Key Protectors + + Numerical Password: + ID: {24B0AA32-F8D0-40BA-BB05-73A800324C09} + Password: + 461109-608201-413820-485342-181588-463056-430617-501391 + + Data Recovery Agent (Certificate Based): + ID: {3F81C18D-A685-4782-8F55-99C6452980E7} + Certificate Thumbprint: + 9de688607336294a52b445d30d1eb92f0bec1e78 +``` + +In this example, if the private key is available in the local certificate store, the administrator could use the following command to unlock the drive by using the data recovery agent protector: + +```cmd +manage-bde -unlock E: -Certificate -ct 9de688607336294a52b445d30d1eb92f0bec1e78 +``` +