updates

2025-06-17 11:23:45 +00:00 · 2023-10-12 08:19:00 -04:00
parent 02cc5330bc
commit 425db8cdf3
2 changed files with 37 additions and 58 deletions
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md
@ -10,44 +10,29 @@ ms.date: 09/29/2023
 # Recovery password
-## Retrieve the BitLocker recovery password protector for the OS volume
+## Reset recovery password
 It's recommended to invalidate a recovery password after its use. In following example, all recovery passwords are removed from the OS drive 
 #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 #### Remove all recovery passwords for the OS volume
 ```PowerShell
-(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
+(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
  where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
  Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive
 ```
-#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+#### Add a BitLocker recovery password protector for the OS volume
 ---
 ## Add a BitLocker recovery password protector for the OS volume
 #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ```PowerShell
-Add-BitLockerKeyProtector -MountPoint -mountpoint $env:SystemDrive -RecoveryPasswordProtector
+Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
 ```
-#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+#### Backup the BitLocker recovery password to Microsoft Entra ID
 ---
-## Remove a BitLocker key protector
+This step is not required if the policy setting **Choose how BitLocker-protected operating system drives can be recovered** is configured to **Require BitLocker backup to AD DS**.
 #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ```PowerShell
 Remove-BitLockerKeyProtector -MountPoint C: -KeyProtectorId "{GUID}"
 ```
 #### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ---
 ## Backup a recovery password
 #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 ```PowerShell
 (Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
@ -56,48 +41,42 @@ BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "
 #### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 ---
 ## Reset recovery password
 It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
 #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 #### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-1. Remove the previous recovery password.
+##### Remove previous recovery passwords for the OS volume
-    ```cmd
+```cmd
-    `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
+manage-bde.exe -protectors -delete C: -type RecoveryPassword
-    ```
+```
-2. Add the new recovery password.
+##### Add the new recovery passwor
-    ```cmd
+```cmd
-    `manage-bde.exe` -protectors -add C: -RecoveryPassword
+manage-bde.exe -protectors -add C: -RecoveryPassword
-    ```
+```
-3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
+##### Obtain the ID of the new recovery password
-    ```cmd
+```cmd
-    `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
+manage-bde.exe -protectors -get C: -Type RecoveryPassword
-    ```
+```
-4. Back up the new recovery password to AD DS.
+From the screen, copy the ID of the recovery password.
-    ```cmd
+##### Back up the new recovery password to AD DS
    `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
    ```
-    > [!WARNING]
+This step is not required if the policy setting **Choose how BitLocker-protected operating system drives can be recovered** is configured to **Require BitLocker backup to AD DS**.
-    > The braces `{}` must be included in the ID string.
+
 ```cmd
 manage-bde.exe -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
 ```
 > [!NOTE]
 > The braces `{}` must be included in the ID string.
 ---
-## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device
+## Retrieve Bitlocker recovery keys for a Microsoft Entra joined device
 ``` PowerShell
 function Get-EntraBitLockerKeys{
--- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
@ -5,10 +5,10 @@ items:
  href: countermeasures.md
 - name: BitLocker planning guide
  href: planning-guide.md
 - name: BitLocker operations guide
  href: operations-guide.md
 - name: Configure BitLocker
  href: configure.md
 - name: BitLocker operations guide
  href: operations-guide.md
 - name: How-to guides
  items:
    - name: Install BitLocker on Windows Server