mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
operations guide
This commit is contained in:
Paolo Matarazzo
parent
52d8670c94
commit
463f13f12c
@ -32,12 +32,12 @@ In a recovery scenario, the following options to restore access to the drive may
|
||||
:::row-end:::
|
||||
:::row:::
|
||||
:::column span="4":::
|
||||
**Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it.
|
||||
**Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be saved on a file or in AD DS.
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
:::row:::
|
||||
:::column span="4":::
|
||||
**Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be saved on a file or in AD DS.
|
||||
**Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it.
|
||||
:::column-end:::
|
||||
:::row-end:::
|
||||
|
||||
@ -90,6 +90,29 @@ After a BitLocker recovery has been initiated, users can use a recovery password
|
||||
|
||||
## Backup of recovery information
|
||||
|
||||
### User-initaited backup
|
||||
|
||||
#### OneDrive option
|
||||
|
||||
There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
|
||||
|
||||
Users can verify whether the recovery key is saved properly by checking OneDrive for the *BitLocker* folder, which is created automatically during the save process. The folder contains two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
|
||||
|
||||
### Centralized backup
|
||||
|
||||
The preferred backup methodology in an organization is to automatically store BitLocker recovery information in a central location. Depending on the organization's requirements, the recovery information can be stored in Microsoft Entra ID, AD DS, or file shares.
|
||||
|
||||
The recommendation is to use the following BitLocker backup methods:
|
||||
|
||||
- For Microsoft Entra joined devices, store the recovery key in Microsoft Entra ID
|
||||
- For Active Directory joined devices, store the recovery key in AD DS
|
||||
|
||||
Backup of the recovery password doesn't happen automatically, but policy settings can be configured **before** BitLocker is enabled. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
|
||||
|
||||
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
||||
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
||||
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The *BitLocker key package* can be stored in Active Directory Domain Services (AD DS), not in Microsoft Entra ID.
|
||||
|
||||
@ -129,16 +152,7 @@ A file with a file name format of `BitLocker Key Package {<id>}.KPG` is created
|
||||
> [!NOTE]
|
||||
> To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume.
|
||||
|
||||
### Data Recovery Agents
|
||||
## Data Recovery Agents
|
||||
|
||||
DRAs are useful for help desk scenarios where the help desk can unlock a BitLocker-protected drive by connecting the drive to a device that contains the certificate of a DRA. The DRA protector option must be configured before enabling BitLocker on a drive.
|
||||
|
||||
|
||||
### User backup of recovery information
|
||||
|
||||
|
||||
### OneDrive option
|
||||
|
||||
There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
|
||||
|
||||
Users can verify whether the recovery key is saved properly by checking OneDrive for the *BitLocker* folder, which is created automatically during the save process. The folder contains two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
|
||||
@ -20,14 +20,7 @@ In some cases, users might have the recovery password in a printout or a USB fla
|
||||
|
||||
### Help desk recovery
|
||||
|
||||
If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
|
||||
|
||||
This method requires to enable the policy settings:
|
||||
|
||||
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
||||
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
||||
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
|
||||
|
||||
If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.**
|
||||
An administrator can obtain the *recovery password* from Microsoft Entra ID or AD DS and use it to unlock the drive. Storing recovery passwords in Microsoft Entra ID or AD DS is recommended to provide a way to obtain recovery passwords for drives in an organization if needed. This method requires to enable the policy settings:
|
||||
|
||||
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
||||
@ -44,23 +37,20 @@ The BitLocker Recovery Password Viewer for Active Directory Users and Computers
|
||||
|
||||
The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
|
||||
|
||||
- [Record the name of the user's computer](#record-the-name-of-the-users-computer)
|
||||
- [Verify the user's identity](#verify-the-users-identity)
|
||||
- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds)
|
||||
- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred)
|
||||
- [Give the user the recovery password](#give-the-user-the-recovery-password)
|
||||
| :ballot_box_with_check: | Recovery process step | Details |
|
||||
|--|--| -- |
|
||||
| :black_square_button: | [Record the device name](#record-the-name-of-the-users-computer) |The name of the user's device can be used to locate the recovery password in Microsoft Entra ID or AD DS. If the user doesn't know the name of the device, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.|
|
||||
| :black_square_button: | Verify the user's identity |The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.|
|
||||
| :black_square_button: | Locate the recovery password |Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.|
|
||||
| :black_square_button: | Gather information to determine why recovery occurred |Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).|
|
||||
| Provide the user the recovery password | Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. |
|
||||
|
||||
### Record the name of the user's computer
|
||||
> [!NOTE]
|
||||
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
|
||||
|
||||
The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.
|
||||
|
||||
### Verify the user's identity
|
||||
|
||||
The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.
|
||||
|
||||
### Locate the recovery password in AD DS
|
||||
|
||||
Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.
|
||||
|
||||
### Multiple recovery passwords
|
||||
|
||||
@ -70,17 +60,6 @@ To make sure the correct password is provided and/or to prevent providing the in
|
||||
|
||||
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
|
||||
|
||||
### Gather information to determine why recovery occurred
|
||||
|
||||
Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).
|
||||
|
||||
### Give the user the recovery password
|
||||
|
||||
Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password.
|
||||
|
||||
> [!NOTE]
|
||||
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
|
||||
|
||||
## Post-recovery tasks
|
||||
|
||||
### BitLocker recovery analysis
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user