operations guide

windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md

@@ -35,17 +35,10 @@ The BitLocker drive encryption tools include the two command-line tools:
 
 Encrypting volumes with the BitLocker Control Panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker Control Panel applet is *BitLocker Drive Encryption*. The applet supports encrypting operating system, fixed data, and removable data volumes. The BitLocker Control Panel organizes available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters appear properly in the BitLocker Control Panel applet.
 
-To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
-
 ### Use BitLocker within Windows Explorer
 
 Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker Control Panel.
 
-Using the Control Panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
-The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
-
-Once BitLocker protector activation is completed, the completion notice is displayed.
-
 ## Check the BitLocker status
 
 To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.

windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md

@@ -195,12 +195,22 @@ Some organizations have location-specific data security requirements, especially
 
 For more information about how to configure Network unlock feature, see [Network Unlock](network-unlock.md).
 
+## BitLocker recovery
+
+Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to BitLocker recovery, which are described in the [BitLocker recovery guide](recovery-guide).
+
 ## Monitor BitLocker
 
 Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor) and [View BitLocker reports in Configuration Manager](/mem/configmgr/protect/deploy-use/bitlocker/view-reports).
 
 ## Next steps
 
+> [!div class="nextstepaction"]
+> Learn how to plan a BitLocker recovery strategy for your organization.
+>
+>
+> [BitLocker recovery guide >](recovery-guide.md)
+
 > [!div class="nextstepaction"]
 > Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
 >

windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md

@@ -10,8 +10,6 @@ ms.date: 09/29/2023
 
 # BitLocker recovery guide
 
-Organizations can use BitLocker recovery information saved in Microsoft Entra ID and Active Directory Domain Services (AD DS) to access BitLocker-protected drives. It's recommended to create a recovery model for BitLocker while planning your BitLocker deployment.
-
 This article describes how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). This article assumes that it's understood how to configure devices to automatically backup BitLocker recovery information, and what types of recovery information are saved to Microsoft Entra ID and AD DS.
 
 ## What is BitLocker recovery?
@@ -27,31 +25,27 @@ BitLocker recovery is the process by which access to a BitLocker-protected drive
 
 ## What causes BitLocker recovery?
 
-The following list provides some examples of specific events that causes BitLocker to enter recovery mode when attempting to start the operating system drive:
+The following list provides examples of common events that causes BitLocker to enter recovery mode when attempting to start the operating system drive:
 
-- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised
+- Changing the BIOS or firmware boot device order on devices with TPM 1.2
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD
 - Failing to boot from a network drive before booting from the hard drive
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked
+- Docking or undocking a portable computer
-- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition
+- Changes to the NTFS partition table on the disk
-- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed
+- Entering the personal identification number (PIN) incorrectly too many times
 - Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM
 - Turning off, disabling, deactivating, or clearing the TPM
-- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change
+- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade
 - Forgetting the PIN when PIN authentication has been enabled
 - Updating option ROM firmware
 - Upgrading TPM firmware
-- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards
+- Adding or removing hardware
 - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer
 - Changes to the master boot record on the disk
 - Changes to the boot manager on the disk
-- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software
+- Hiding the TPM from the operating system
-- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs
+- Using a different keyboard that doesn't correctly enter the PIN
-- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change
+- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile.
-
-    > [!NOTE]
-    > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
-
 - Moving the BitLocker-protected drive into a new computer
 - Upgrading the motherboard to a new one with a new TPM
 - Losing the USB flash drive containing the startup key when startup key authentication has been enabled