deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Metadata/style update BitLocker 18

Browse Source
This commit is contained in:
Frank Rojas 2022-11-16 23:45:59 -05:00
parent 143cbcdd80
commit 340f0fbd35
24 changed files with 151 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -60,7 +60,7 @@ When specifying BCD values in the **Use enhanced Boot Configuration Data validat
For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value.
A setting that applies to all boot applications may be applied only to an individual application; however, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
> [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.

2
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
View File

@ -49,7 +49,7 @@ sections:
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
``` powershell
```powershell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }

42
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -210,7 +210,7 @@ This command returns the volumes on the target, current encryption status, and v
Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption:
``` powershell
```powershell
manage-bde.exe -protectors -add C: -startupkey E:
manage-bde.exe -on C:
```
@ -221,13 +221,13 @@ If prompted, reboot the computer to complete the encryption process.
It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command:
``` syntax
```cmd
manage-bde.exe -on C:
```
This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command:
``` syntax
```cmd
manage-bde.exe -protectors -get <volume>
```
@ -235,7 +235,7 @@ manage-bde.exe -protectors -get <volume>
Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:
``` syntax
```cmd
manage-bde.exe -protectors -add C: -pw -sid <user or group>
```
@ -245,7 +245,7 @@ This command requires the user to enter and then confirm the password protectors
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
``` syntax
```cmd
manage-bde.exe -on <drive letter>
```
@ -255,7 +255,7 @@ or users can choose to add protectors to the volume. It is recommended to add at
A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker.
``` powershell
```powershell
manage-bde.exe -protectors -add -pw C:
manage-bde.exe -on C:
```
@ -288,21 +288,21 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
> [!NOTE]
> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
``` powershell
```powershell
Get-BitLockerVolume C: | fl
```
If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed.
A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
``` powershell
```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command:
``` powershell
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
@ -315,13 +315,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the `m
To enable BitLocker with just the TPM protector, use this command:
``` powershell
```powershell
Enable-BitLocker C:
```
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
``` powershell
```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
@ -329,7 +329,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTes
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
``` powershell
```powershell
$pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
@ -344,13 +344,13 @@ The **ADAccountOrGroup** protector is an Active Directory SID-based protector. T
To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
``` powershell
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
``` powershell
```powershell
Get-ADUser -filter {samaccountname -eq "administrator"}
```
@ -362,7 +362,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
``` powershell
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
```
@ -397,7 +397,7 @@ Administrators who prefer a command-line interface can utilize `manage-bde.exe`
To check the status of a volume using `manage-bde.exe`, use the following command:
``` powershell
```powershell
manage-bde.exe -status <volume>
```
@ -410,7 +410,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu
Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
``` powershell
```powershell
Get-BitLockerVolume <volume> -Verbose | fl
```
@ -437,13 +437,13 @@ Once decryption is complete, the drive updates its status in the control panel a
Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
``` powershell
```powershell
manage-bde.exe -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
``` powershell
```powershell
manage-bde.exe -status C:
```
@ -453,13 +453,13 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to `manag
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
``` powershell
```powershell
Disable-BitLocker
```
If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
``` powershell
```powershell
Disable-BitLocker -MountPoint E:,F:,G:
```

6
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -33,7 +33,7 @@ BitLocker helps mitigate unauthorized data access on lost or stolen computers be
The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
## Protection before startup
@ -92,13 +92,13 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne
### Protecting Thunderbolt and other DMA ports
There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS.
There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
![Kernel DMA protection.](images/kernel-dma-protection.png)
If kernel DMA protection isn't* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
1. Require a password for BIOS changes

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -53,7 +53,7 @@ This article depicts the BitLocker deployment comparison chart.
|*Can be administered outside company network* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|*Support for organization unique IDs* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Self-service recovery* | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Wait to complete encryption until recovery information is backed up to Azure AD* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
|*Wait to complete encryption until recovery information is backed up to Active Directory* | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|*Allow or deny Data Recovery Agent* | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |

42
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -106,7 +106,7 @@ The following policies are used to support customized deployment scenarios in yo
| | &nbsp; |
|:---|:---|
|**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
|**Introduced**|Windows 10, version 1703, or Windows 11|
|**Introduced**|Windows 10, version 1703|
|**Drive type**|Operating system drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.|
@ -147,7 +147,7 @@ For more information about Network Unlock feature, see [BitLocker: How to enable
This policy setting is used to control which unlock options are available for operating system drives.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.|
|**Introduced**|Windows Server 2008 R2 and Windows 7|
@ -173,28 +173,28 @@ There are four options for TPM-enabled computers or devices:
- Configure TPM startup
- Allow TPM
- Require TPM
- Don't allow TPM
- Don not allow TPM
- Configure TPM startup PIN
- Allow startup PIN with TPM
- Require startup PIN with TPM
- Don't allow startup PIN with TPM
- Don not allow startup PIN with TPM
- Configure TPM startup key
- Allow startup key with TPM
- Require startup key with TPM
- Don't allow startup key with TPM
- Don not allow startup key with TPM
- Configure TPM startup key and PIN
- Allow TPM startup key with PIN
- Require startup key and PIN with TPM
- Don't allow TPM startup key with PIN
- Don not allow TPM startup key with PIN
### Allow enhanced PINs for startup
This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.|
|**Introduced**|Windows Server 2008 R2 and Windows 7|
@ -237,7 +237,7 @@ The Dictionary Attack Prevention Parameters provide a way to balance security ne
Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked
@ -246,7 +246,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
| | &nbsp; |
|:---|:---|
|**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
|**Introduced**|Windows 10, version 1703, or Windows 11|
|**Introduced**|Windows 10, version 1703|
|**Drive type**|Operating system drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
|**Conflicts**|None|
@ -331,12 +331,12 @@ There are two options for TPM-enabled computers or devices:
- Configure TPM startup PIN
- Allow startup PIN with TPM
- Require startup PIN with TPM
- Don't allow startup PIN with TPM
- Do not allow startup PIN with TPM
- Configure TPM startup key
- Allow startup key with TPM
- Require startup key with TPM
- Don't allow startup key with TPM
- Do not allow startup key with TPM
These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur.
@ -495,7 +495,7 @@ The Windows touch keyboard (such as used by tablets) isn't available in the preb
It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available:
@ -554,7 +554,7 @@ This policy setting is used to require that removable drives are encrypted prior
If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
> [!NOTE]
> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
> You can override this policy setting with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
Conflict considerations include:
@ -603,7 +603,7 @@ This policy setting is used to control the encryption method and cipher strength
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
|**Conflicts**|None|
|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
#### Reference: Choose drive encryption method and cipher strength
@ -626,7 +626,7 @@ When this policy setting is disabled or not configured, BitLocker will use the d
This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
|**Introduced**|Windows Server 2012 and Windows 8|
@ -651,7 +651,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
|**Introduced**|Windows Server 2012 and Windows 8|
@ -678,7 +678,7 @@ The encryption algorithm that is used by hardware-based encryption is set when t
This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
|**Introduced**|Windows Server 2012 and Windows 8|
@ -840,7 +840,7 @@ For example, not allowing the 48-digit recovery password prevents users from pri
This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.|
|**Introduced**|Windows Server 2008 and Windows Vista|
@ -1040,7 +1040,7 @@ Multiple values separated by commas can be entered in the identification and all
This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.|
|**Introduced**|Windows Vista|
@ -1287,7 +1287,7 @@ When this policy setting is enabled, select the **Do not install BitLocker To Go
You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
| | &nbsp; |
| | |
|:---|:---|
|**Policy description**|Notes|
|**Introduced**|Windows Server 2003 with SP1|
@ -1313,7 +1313,7 @@ PCs default power settings for a computer will cause the computer to enter Sleep
However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states:
You can disable the following Group Policy settings, which are located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** to disable all available sleep states:
- Allow Standby States (S1-S3) When Sleeping (Plugged In)
- Allow Standby States (S1-S3) When Sleeping (Battery)

12
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -67,7 +67,7 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window
By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
``` powershell
```powershell
Install-WindowsFeature BitLocker -WhatIf
```
@ -75,7 +75,7 @@ The results of this command show that only the BitLocker Drive Encryption featur
To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
``` powershell
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
```
@ -91,7 +91,7 @@ The result of this command displays the following list of all the administration
The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
``` powershell
```powershell
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
```
@ -102,7 +102,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
``` powershell
```powershell
Get-WindowsOptionalFeature -Online | ft
```
@ -110,13 +110,13 @@ From this output, it can be seen that there are three BitLocker-related optional
To install BitLocker using the `dism.exe` module, use the following command:
``` powershell
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
```
This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
``` powershell
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
```

27
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -50,7 +50,7 @@ For Network Unlock to work reliably on computers, the first network adapter on t
The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required; however, the WDS service must be running on the server.
Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
@ -100,7 +100,7 @@ The BitLocker Network Unlock feature installs the WDS role if it isn't already i
To install the role by using Windows PowerShell, use the following command:
``` powershell
```powershell
Install-WindowsFeature WDS-Deployment
```
@ -112,7 +112,7 @@ To confirm that the WDS service is running, use the Services Management Console
To confirm that the service is running using Windows PowerShell, use the following command:
``` powershell
```powershell
Get-Service WDSServer
```
@ -122,7 +122,7 @@ To install the Network Unlock feature, use Server Manager or Windows PowerShell.
To install the feature by using Windows PowerShell, use the following command:
``` powershell
```powershell
Install-WindowsFeature BitLocker-NetworkUnlock
```
@ -217,7 +217,7 @@ To create a self-signed certificate, either use the `New-SelfSignedCertificate`
**Windows PowerShell:**
``` powershell
```powershell
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
```
@ -225,13 +225,13 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=
1. Create a text file with an `.inf` extension, for example:
``` syntax
```cmd
notepad.exe BitLocker-NetworkUnlock.inf
```
2. Add the following contents to the previously created file:
``` ini
```ini
[NewRequest]
Subject="CN=BitLocker Network Unlock certificate"
ProviderType=0
@ -252,7 +252,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=
3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
``` syntax
```cmd
certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
@ -327,7 +327,7 @@ The configuration file, called bde-network-unlock.ini, must be located in the sa
The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names.
``` ini
```ini
[SUBNETS]
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
SUBNET2=10.185.252.200/28
@ -344,7 +344,7 @@ Subnet restrictions are defined within each certificate section by denoting the
Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
``` ini
```ini
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
@ -387,7 +387,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
``` powershell
```powershell
manage-bde.exe -protectors -get C:
```
@ -418,6 +418,9 @@ Gather the following files to troubleshoot BitLocker Network Unlock.
- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
<!--
REMOVING SECTION DUE TO THE VERSIONS OF WINDOWS THAT THIS SECTION APPLIES TO ARE NO LONGER SUPPORTED.
## Configure Network Unlock Group Policy settings on earlier versions
Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. However Network Unlock and the accompanying Group Policy settings can be deployed using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
@ -443,7 +446,7 @@ Follow these steps to configure Network Unlock on these older systems.
Apply the registry settings by running the following `certutil.exe` script (assuming the Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the [Applies to](#bitlocker-how-to-enable-network-unlock) list at the beginning of this article.
``` syntax
```cmd
certutil.exe -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f

4
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
View File

@ -32,7 +32,7 @@ sections:
answer: |
Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
``` syntax
```cmd
Manage-bde.exe -protectors -add e: -sid <i>domain\username</i></code>
```
@ -52,7 +52,7 @@ sections:
answer: |
The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
``` syntax
```cmd
manage-bde.exe -protectors -delete %systemdrive% -type tpm
manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>

10
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -31,11 +31,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/
## Managing devices joined to Azure Active Directory
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), or Windows 11, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), or Windows 11, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
## Managing workplace-joined PCs and phones
@ -58,7 +58,7 @@ For Azure AD-joined computers, including virtual machines, the recovery password
**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
``` powershell
```powershell
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:"
@ -70,7 +70,7 @@ For domain-joined computers, including servers, the recovery password should be
**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
``` powershell
```powershell
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:"

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -50,7 +50,7 @@ BitLocker control panel, and they're appropriate to be used for automated deploy
## New and changed functionality
To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in [What's new in Windows 10, versions 1507 and 1511 for IT Pros](/windows/whats-new/whats-new-windows-10-version-1507-and-1511).
To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
## System requirements

30
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -136,7 +136,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes
3. At the command prompt, enter the following command:
``` syntax
```cmd
manage-bde.exe -forcerecovery <BitLockerVolume>
```
@ -148,7 +148,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes
3. At the command prompt, enter the following command:
``` syntax
```cmd
manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
```
@ -266,7 +266,7 @@ Review and answer the following questions for the organization:
To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
``` syntax
```cmd
manage-bde.exe -status
```
@ -337,7 +337,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few
### Custom recovery message
BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
@ -353,7 +353,7 @@ Example of a customized recovery screen:
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
@ -504,25 +504,25 @@ The recovery password and be invalidated and reset in two ways:
1. Remove the previous recovery password.
``` syntax
```cmd
`manage-bde.exe` -protectors -delete C: -type RecoveryPassword
```
2. Add the new recovery password.
``` syntax
```cmd
`manage-bde.exe` -protectors -add C: -RecoveryPassword
```
3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
``` syntax
```cmd
`manage-bde.exe` -protectors -get C: -Type RecoveryPassword
```
4. Back up the new recovery password to AD DS.
``` syntax
```cmd
`manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
@ -537,7 +537,7 @@ The recovery password and be invalidated and reset in two ways:
2. At the command prompt, enter the following command::
``` syntax
```cmd
cscript.exe ResetPassword.vbs
```
@ -553,7 +553,7 @@ The following sample VBScript can be used to reset the recovery passwords:
<details>
<summary>Expand to view sample recovery password VBscript to reset the recovery passwords</summary>
``` vb
```vb
' Target drive letter
strDriveLetter = "c:"
' Target computer name
@ -642,7 +642,7 @@ The following steps and sample script exports all previously saved key packages
2. At the command prompt, enter a command similar to the following sample script:
``` syntax
```cmd
cscript.exe GetBitLockerKeyPackageADDS.vbs -?
```
@ -652,7 +652,7 @@ The following sample script can be used to create a VBScript file to retrieve th
<details>
<summary>Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS</summary>
``` vb
```vb
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
@ -800,7 +800,7 @@ The following steps and sample script exports a new key package from an unlocked
2. Open an administrator command prompt, and then enter a command similar to the following sample script:
``` syntax
```cmd
cscript.exe GetBitLockerKeyPackage.vbs -?
```
@ -808,7 +808,7 @@ The following steps and sample script exports a new key package from an unlocked
<details>
<summary>Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume</summary>
``` vb
```vb
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------

4
windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
View File

@ -30,13 +30,13 @@ If the correct BitLocker recovery key has been entered multiple times but are un
3. From the WinRE command prompt, manually unlock the drive with the following command:
``` syntax
```cmd
manage-bde.exe -unlock C: -rp <recovery password>
```
4. Suspend the protection on the operating system with the following command:
``` syntax
```cmd
manage-bde.exe -protectors -disable C:
```

28
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -48,7 +48,7 @@ Listed below are examples of basic valid commands for operating system volumes.
A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
``` syntax
```cmd
manage-bde.exe -status
```
@ -58,7 +58,7 @@ This command returns the volumes on the target, current encryption status, encry
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
``` syntax
```cmd
manage-bde.exe -protectors -add C: -startupkey E:
manage-bde.exe -on C:
```
@ -68,7 +68,7 @@ manage-bde.exe -on C:
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:
``` syntax
```cmd
manage-bde.exe -protectors -add C: -pw -sid <user or group>
```
@ -76,13 +76,13 @@ The above command will require the password protector to be entered and confirme
On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:
``` syntax
```cmd
manage-bde.exe -on C:
```
The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:
``` syntax
```cmd
manage-bde.exe -protectors -get <volume>
```
@ -96,7 +96,7 @@ or additional protectors can be added to the volume first. It's recommended to a
A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.
``` syntax
```cmd
manage-bde.exe -protectors -add -pw C:
manage-bde.exe -on C:
```
@ -167,7 +167,7 @@ To remove the existing protectors prior to provisioning BitLocker on the volume,
A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
``` powershell
```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
@ -176,7 +176,7 @@ By using this script, the information in the $keyprotectors variable can be disp
By using this information, the key protector for a specific volume can be removed using the command:
``` powershell
```powershell
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
@ -189,13 +189,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
``` powershell
```powershell
Enable-BitLocker C:
```
In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
``` powershell
```powershell
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
@ -204,7 +204,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTes
Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
SecureString value to store the user-defined password.
``` powershell
```powershell
$pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
@ -219,7 +219,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2
To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
``` powershell
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
@ -228,7 +228,7 @@ For users who wish to use the SID for the account or group, the first step is to
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
``` powershell
```powershell
get-aduser -filter {samaccountname -eq "administrator"}
```
@ -237,7 +237,7 @@ get-aduser -filter {samaccountname -eq "administrator"}
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
``` powershell
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
```

2
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
View File

@ -101,7 +101,7 @@ sections:
The syntax of this command is:
``` syntax
```cmd
manage-bde.exe <driveletter> -lock
````

18
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -79,13 +79,13 @@ To turn on BitLocker for a disk before adding it to a cluster:
3. Identify the name of the cluster with Windows PowerShell.
``` powershell
```powershell
Get-Cluster
```
4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` powershell
```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
@ -104,25 +104,25 @@ When the cluster service owns a disk resource already, the disk resource needs t
2. Check the status of the cluster disk using Windows PowerShell.
``` powershell
```powershell
Get-ClusterResource "Cluster Disk 1"
```
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
``` powershell
```powershell
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
4. Identify the name of the cluster with Windows PowerShell.
``` powershell
```powershell
Get-Cluster
```
5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` powershell
```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
@ -131,7 +131,7 @@ When the cluster service owns a disk resource already, the disk resource needs t
6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode:
``` powershell
```powershell
Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
```
@ -147,7 +147,7 @@ When the cluster service owns a disk resource already, the disk resource needs t
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
``` syntax
```cmd
manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync
```
@ -169,7 +169,7 @@ When the cluster service owns a disk resource already, the disk resource needs t
CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example:
``` syntax
```cmd
manage-bde.exe -status "C:\ClusterStorage\volume1"
```

16
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -39,13 +39,13 @@ To filter and display or export logs, the [wevtutil.exe](/windows-server/adminis
For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
``` syntax
```cmd
wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
```
To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command:
``` powershell
```powershell
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
```
@ -53,7 +53,7 @@ The Get-WinEvent can be used in an elevated PowerShell window to display filtere
- To display BitLocker-related information:
``` powershell
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
```
@ -63,19 +63,19 @@ The Get-WinEvent can be used in an elevated PowerShell window to display filtere
- To export BitLocker-related information:
``` powershell
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
```
- To display TPM-related information:
``` powershell
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
```
- To export TPM-related information:
``` powershell
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
```
@ -137,9 +137,9 @@ Resolving issues that don't have obvious causes depends on exactly which compone
- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker can't encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker can't encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).

6
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker can't encrypt a drive known issues
title: BitLocker cannot encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
@ -14,7 +14,7 @@ ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker can't encrypt a drive: known issues
# BitLocker cannot encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@ -103,7 +103,7 @@ To verify that this issue has occurred, follow these steps:
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
``` powershell
```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```

10
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker can't encrypt a drive known TPM issues
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
ms.reviewer: kaushika
ms.technology: itpro-security
@ -14,7 +14,7 @@ ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker can't encrypt a drive: known TPM issues
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@ -37,7 +37,7 @@ To resolve this issue, the TPM needs to be reset and cleared. The TPM can be res
1. Open an elevated PowerShell window and run the following script:
``` powershell
```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
@ -111,7 +111,7 @@ To verify this issue is occurring, use one of the following two methods:
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
``` powershell
```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
@ -145,7 +145,7 @@ The issue can be resolved with the following steps:
4. Open an elevated PowerShell window, and run the following command:
``` syntax
```cmd
cscript.exe <Path>\Add-TPMSelfWriteACE.vbs
```

4
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -138,7 +138,7 @@ In the guest VM domain controller **Applications and Services Logs** > **Directo
When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
``` Error
```Error
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
@ -166,7 +166,7 @@ For more information and recommendations about backing up virtualized domain con
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
``` console
```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.

6
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -62,7 +62,7 @@ To use `TBSLogGenerator.exe`, follow these steps:
1. Run the following command:
``` syntax
```cmd
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
@ -75,7 +75,7 @@ To use `TBSLogGenerator.exe`, follow these steps:
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file:
``` syntax
```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
@ -104,7 +104,7 @@ To download and install `PCPTool.exe`, go to the Toolkit page, select **Download
To decode a log, run the following command:
``` syntax
```cmd
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```

14
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -103,7 +103,7 @@ The procedures described in this section depend on the default disk partitions t
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
``` syntax
```cmd
diskpart.exe
list volume
```
@ -118,7 +118,7 @@ If the status of any of the volumes isn't healthy or if the recovery partition i
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
``` syntax
```cmd
reagentc.exe /info
```
@ -128,7 +128,7 @@ The output of this command resembles the following.
If the **Windows RE status** isn't **Enabled**, run the following command to enable it:
``` syntax
```cmd
reagentc.exe /enable
```
@ -136,7 +136,7 @@ reagentc.exe /enable
If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:
``` syntax
```cmd
bcdedit.exe /enum all
```
@ -191,7 +191,7 @@ This issue can be resolved by verifying the PCR validation profile of the TPM an
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
``` syntax
```cmd
Manage-bde.exe -protectors -get %systemdrive%
```
@ -220,8 +220,8 @@ To verify the secure boot state, use the System Information application by follo
> [!NOTE]
> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
>
> ```ps
> PS C:\> Confirm-SecureBootUEFI
> ```powershell
> Confirm-SecureBootUEFI
> ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."

4
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -32,13 +32,13 @@ This article describes several known issues that may be encountered when BitLock
>
> 1. Open an elevated command prompt window and run the following command:
>
> ``` syntax
> ```cmd
> manage-bde.exe -protectors -get <Drive>
> ```
>
> For example:
>
> ``` syntax
> ```cmd
> manage-bde.exe -protectors -get C:
> ```
>

4
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -115,8 +115,8 @@ This issue may occur when the Windows operating system isn't the owner of the TP
|Message |Reason | Resolution|
| - | - | - |
|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles: