operations guide

windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md

@@ -42,20 +42,20 @@ The TPM is able to securely protect the BitLocker encryption key while it is at
 To protect the BitLocker encryption key, BitLocker can use different types of *protectors*. When enabling BitLocker, each protector receives a copy of the *Volume Master Key*, which is then encrypted using its own machanism.
 
 | Key protector | Description |
-| - | - |
+|--|--|
-| Password | To unlock a drive, the user must supply a password. When used for OS drives, the user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic, therefore it doesn't protect against brute force attacks|
+| **Auto-unlock** | Used to automatically unlock volumes that do not host an operating system. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. |
-| Autounlock | |
+| **Password** and **Password for OS drive**| To unlock a drive, the user must supply a password. When used for OS drives, the user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic, therefore it doesn't protect against brute force attacks. |
-| Smart card certificate | To unlock a drive, the user must use a smart card.|
+| **Startup key** | An encryption key that can be stored on removable media, with a file name format of `<protector_id>.bek`. The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device. |
-| TPM | A hardware device used to help establish a secure root-of-trust, validating early boot components. The TPM protector can only be used with the OS drive. |
+| Smart card certificate | Used to unlock volumes that do not host an operating system. To unlock a drive, the user must use a smart card. |
-| TPM + PIN | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
+| **TPM** | A hardware device used to help establish a secure root-of-trust, validating early boot components. The TPM protector can only be used with the OS drive. |
-| Startup key | An encryption key that can be stored on removable media, with a file name format of `<protector_id>.bek`. The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device.|
+| **TPM + PIN** | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable. |
-| TPM + Startup key | The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted. |
+| **TPM + Startup key** | The TPM successfully validates early boot components. The user must insert a USB drive containing the startup key before the OS can boot. |
-| TPM + Startup key + PIN | The TPM successfully validates early boot components. The user must enter the correct PIN and insert a USB drive containing the startup key before the OS can boot |
+| **TPM + Startup key + PIN** | The TPM successfully validates early boot components. The user must enter the correct PIN and insert a USB drive containing the startup key before the OS can boot. |
-| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `<protector_id>.bek`|
+| Recovery password | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. |
-| Recovery password | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
+| **TPM + Network Key** | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of OS volumes while maintaining multifactor authentication. This key protector can only be used with OS volumes. |
-| PublicKey (DataRecoveryAgent) | A *Data Recovery Agent* (DRA) certificate that can be used to access any BitLocker encrypted drives that is configured with the public key protector.|
+| **Recovery key** | An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `<protector_id>.bek`. |
-| TPM + Network Key (TpmNetworkKey) |  The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of OS volumes while maintaining multifactor authentication. This key protector can only be used with OS volumes.|
+| **Data Recovery Agent** | A Data Recovery Agent (DRA) is a certificate-based key protector that can be used to access any BitLocker encrypted drives that is configured with the public key protector. |
-| Active Directory user or group | A protector that is based on an Active Directory user or group security identified (SID). This protector can't be used for OS volumes and is not supported on Microsoft Entra joined devices.|
+| **Active Directory user or group** | A protector that is based on an Active Directory user or group security identified (SID). |
 
 #### Support for devices without TPM
 

windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md

@@ -32,12 +32,12 @@ In a recovery scenario, the following options to restore access to the drive may
 :::row-end:::
 :::row:::
   :::column span="4":::
-    **Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key protector. *Data recovery agents* can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the data recovery agent to unlock it
+    **Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it.
   :::column-end:::
 :::row-end:::
 :::row:::
   :::column span="4":::
-    **Key package**: blob that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be stored on a file or in AD DS.
+    **Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be saved on a file or in AD DS.
   :::column-end:::
 :::row-end:::
 
@@ -76,24 +76,26 @@ If software maintenance requires the computer to be restarted and two-factor aut
 
 ## Plan for BitLocker recovery
 
-When planning for BitLocker recovery, consider the following:
+When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:
-
-To help document the BitLocker recovery process that works best for your organization, answer the following questions:
 
 | :ballot_box_with_check: | **Question** |
 |--|--|
-| :black_square_button: | *blah* |
+| :black_square_button: | *How does the organization handle lost Windows passwords?* |
-| :black_square_button: | *blah* |
+| :black_square_button: | *How does the organization perform smart card PIN resets?* |
-| :black_square_button: | *blah* |
+| :black_square_button: | *Are users allowed to save or retrieve recovery information for the devices that they own?* |
 
-### Automatic backup of recovery information
+Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs) or automatically back up recovery information to Microsoft Entra ID or Active Directory Domain Services (AD DS).
+
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
+
+## Backup of recovery information
 
 > [!IMPORTANT]
 > The *BitLocker key package* can be stored in Active Directory Domain Services (AD DS), not in Microsoft Entra ID.
 
-#### Microsoft Entra ID
+### Microsoft Entra ID
 
-#### Active Directory
+### Active Directory
 
 The BitLocker recovery information for a device joined to Active Directory is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each Computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume. The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The syntax is `<Object Creation Date and Time><Recovery GUID>`.
 
@@ -122,15 +124,21 @@ If recovery information is not backed up to AD DS, or if you want to save a key
 manage-bde.exe -KeyPackage C: -id <id> -path <path>
 ```
 
-A file with a `.kpg` extension is created in the specified path.
+A file with a file name format of `BitLocker Key Package {<id>}.KPG` is created in the specified path.
 
 > [!NOTE]
 > To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume.
 
 ### Data Recovery Agents
 
+DRAs are useful for help desk scenarios where the help desk can unlock a BitLocker-protected drive by connecting the drive to a device that contains the certificate of a DRA. The DRA protector option must be configured before enabling BitLocker on a drive.
+
+
 ### User backup of recovery information
 
-## BitLocker recovery guide
 
-This article describes how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). This article assumes that it's understood how to configure devices to automatically backup BitLocker recovery information, and what types of recovery information are saved to Microsoft Entra ID and AD DS.
+### OneDrive option
+
+There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
+
+Users can verify whether the recovery key is saved properly by checking OneDrive for the *BitLocker* folder, which is created automatically during the save process. The folder contains two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.

windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md

@@ -10,26 +10,15 @@ ms.date: 09/29/2023
 
 # BitLocker recovery process
 
-When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:
+This article describes how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). This article assumes that it's understood how to configure devices to automatically backup BitLocker recovery information, and what types of recovery information are saved to Microsoft Entra ID and AD DS.
 
-- how does the organization handle lost Windows passwords?
+## Recovery password retrieval
-- how does the organization perform smart card PIN resets?
 
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
+### Self-recovery
-
-When the recovery process is determined:
-
-- Become familiar with how a recovery password can be retrieved. See:
-  - [Self-recovery](#self-recovery)
-  - [Recovery password retrieval](#recovery-password-retrieval)
-- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
-  - [Post-recovery analysis](#post-recovery-analysis)
-
-## Self-recovery
 
 In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
 
-## Recovery password retrieval
+### Help desk recovery
 
 If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
@@ -92,7 +81,9 @@ Because the recovery password is 48 digits long, the user may need to record the
 > [!NOTE]
 > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
 
-### Post-recovery analysis
+## Post-recovery tasks
+
+### BitLocker recovery analysis
 
 When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
 
@@ -110,16 +101,11 @@ While an administrator can remotely investigate the cause of recovery in some ca
 Review and answer the following questions for the organization:
 
 1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
-
+1. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
-2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
+1. If TPM mode was in effect, was recovery caused by a boot file change?
-
+1. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
-3. If TPM mode was in effect, was recovery caused by a boot file change?
+1. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
-
+1. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
-4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
-
-5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
-
-6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
 
 To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
 
@@ -149,48 +135,31 @@ If a user has forgotten the PIN, the PIN must be reset while signed on to the co
 ### To prevent continued recovery due to an unknown PIN
 
 1. Unlock the computer using the recovery password.
-
+1. Reset the PIN:
-2. Reset the PIN:
 
     1. Select and hold the drive and then select **Change PIN**
+    1. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
+    1. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
 
-    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
+1. The new PIN can be used the next time the drive needs to be unlocked.
-
-    3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
-
-3. The new PIN can be used the next time the drive needs to be unlocked.
 
 ## Lost startup key
 
-If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created.
+If the USB flash drive that contains the startup key is lost, you must be unlock the drive using the recovery key. A new startup can then be created using PowerShell, the Command Prompt, or BitLocker.
 
-### To prevent continued recovery due to a lost startup key
+For examples how to add BitLocker protectors, review the [BitLocker operations guide](operations-guide.md#add-protectors).
-
-1. Sign in as an administrator to the computer that has its startup key lost.
-
-2. Open Manage BitLocker.
-
-3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**.
 
 ## Changes to boot files
 
-This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time.
+This error occurs if the firmware is updated. BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update is complete. Suspending BitLocker prevents the device from going into recovery mode. However, if changes happen when BitLocker protection is on, the recovery password can be used to unlock the drive and the platform validation profile is updated so that recovery doesn't occur the next time.
+
+For examples how to suspend and resume BitLocker protectors, review the [BitLocker operations guide](operations-guide.md#suspend-and-resume).
 
 ## Windows RE and device encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [device encryption](index.md#device-encryption). If a device is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker. If a device is unable to boot after two failures, *Startup Repair* automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the device and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
 
-Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
+Windows RE also asks for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, asks for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
-
-The BitLocker recovery screen in Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
-
-To activate the narrator during BitLocker recovery in Windows RE, press <kbd>WIN</kbd>+<kbd>CTRL</kbd>+<kbd>ENTER</kbd>. To activate the on-screen keyboard, select a text input control.
-
-### OneDrive option
-
-There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
-
-Users can verify whether the recovery key is saved properly by checking OneDrive for the *BitLocker* folder, which is created automatically during the save process. The folder contains two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 
 ## Retrieve Bitlocker recovery keys for a Microsoft Entra joined device