From 3883963058012494ac4fc3f1bdd6673b60cb987f Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Wed, 1 Jul 2020 17:08:09 -0700 Subject: [PATCH 1/3] Update bitlocker-recovery-guide-plan.md @rafals2 Here are the edits for your commit. The images all look fine from a content standpoint, but it would be good to check them again on staging when everything is finalized so we can make sure they render clearly. Let me know if you have any questions about the edits. Thanks! Kelly --- .../bitlocker-recovery-guide-plan.md | 95 ++++++++++--------- 1 file changed, 48 insertions(+), 47 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 9bc15b3a8e..46d4a5e312 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -254,16 +254,17 @@ This error might occur if you updated the firmware. As a best practice you shoul Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. -## Bitlocker Recovery Password screen -During BitLocker recovery Windows can display **custom recovery message** and **password hints** identifying where password can be retrieved from. These two improvements can help user during BitLocker recovery. +## BitLocker recovery screen + +During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. + ### Custom recovery message -BitLocker group polices have been improved in Windows 10 Version 1511 by adding policy which allows for configuration of custom recovery message and URL on BitLocker Recovery screen. This policy cam be used to show address of BitLocker self-service recovery portal, IT internal website or phone number to helpdesk department. -This policy can be configured via the GPO under: +BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. -*Computer Configuration\ Administrative Templates\ Windows Components\ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL* +This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. -or via Intune/MDM in the BitLocker CSP: +It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: *./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage* ![Custom URL](./images/bl-intune-custom-url.png) @@ -274,78 +275,78 @@ Example of customized recovery screen: -### Bitlocker Recovery Password hints +### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10 1903 to include information where and when BitLocker Recovery Password has been backed up. This information is not exposed via User Interface or any public API. It is used solely by BitLocker Recovery screen in a form of password hints to guide user where to look for a volume’s recovery password. Password hints are displayed on the recovery screen and depend on location where password has been saved. Password hints are displayed in both modern (blue) and legacy (**black**) recovery screen. This applies to both: bootmanager recovery screen and WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. -![Customized Bitlocker Recovery Screen](./images/bl-password-hint2.png) +![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] -> Microosft doesn't recommend printing Recovery Passwords or saving them to a file. Instead active directory backup or cloud based backup should be used. Cloud based backup includes Azure Active Directory (AAD) and Microsoft Account (MSA). +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and managed service accounts (MSAs). -There are multiple rules governing which password hint is shown during the recovery (in order of processing): +There are rules governing which hint is shown during the recovery (in order of processing): -1. Always display custom recovery message if it has been configured (via GPO or MDM). -2. Always display generic hint: "For more information go to http://aka.ms/recoverykeyfaq " -3. If multiple recovery passwords exist on the volume prioritize the latest created (and successfully backed up) recovery password -4. Prioritize passwords with successful backup over passwords that has never been backed up. -5. Prioritize backup hints in following order for remote backup locations: MSA> AAD > AD -6. If password has been printed and saved to file, display combined hint “Look for a printout or a text file with the key” instead of 2 separate hints. -7. If multiple backups of same type (remove vs local) have been performed for the same recovery password, prioritize backup info with latest backed up date -8. There is no specific password hint for password saved to on-prem active directory. In this case custom message will be displayed (if configured) or generic message “Contact your organization’s help desk” -9. If two recovery passwords are present on the disk, but only one has been successfully backed up, system will ask for a password that has been backed up, even if another password is newer. +1. Always display custom recovery message if it has been configured (using GPO or MDM). +2. Always display generic hint: "For more information go to http://aka.ms/recoverykeyfaq." +3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. +4. Prioritize keys with successful backup over keys that have never been backed up. +5. Prioritize backup hints in the following order for remote backup locations: MSA > Azure AD > Active Directory +6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. -#### Example 1 (single recovery password with single backup) +#### Example 1 (single recovery key with single backup) | Custom URL | Yes | |----------------------|------------| | Saved to MSA | Yes | -| Saved to AAD | No | -| Saved to AD | No | +| Saved to Azure AD | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | No | -**Result:** password hint for MSA and custom URL are displayed. +**Result:** The hint for the MSA and custom URL are displayed. -![Example 1 of Customized Bitlocker Recovery Screen](./images/rp-example1.PNG) +![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) -#### Example 2 (single recovery password with single backup) +#### Example 2 (single recovery key with single backup) | Custom URL | Yes | |----------------------|------------| | Saved to MSA | No | -| Saved to AAD | No | -| Saved to AD | Yes | +| Saved to Azure AD | No | +| Saved to Active Directory | Yes | | Printed | No | | Saved to file | No | -**Result:** only custom URL is displayed. +**Result:** Only the custom URL is displayed. -![Example 2 of Customized Bitlocker Recovery Screen](./images/rp-example2.PNG) +![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG) -#### Example 3 (single recovery password with multiple backups) +#### Example 3 (single recovery key with multiple backups) | Custom URL | No | |----------------------|------------| | Saved to MSA | Yes | -| Saved to AAD | Yes | -| Saved to AD | No | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | | Printed | Yes | | Saved to file | Yes | -**Result:** only MSA password hint is displayed. +**Result:** Only the MSA hint is displayed. -![Example 3 of Customized Bitlocker Recovery Screen](./images/rp-example3.PNG) +![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG) #### Example 4 (multiple recovery passwords) | Custom URL | No | |----------------------|-----------------| | Saved to MSA | No | -| Saved to AAD | No | -| Saved to AD | No | +| Saved to Azure AD | No | +| Saved to Acive Directory | No | | Printed | No | | Saved to file | Yes | | Creation time | **1PM** | @@ -355,16 +356,16 @@ There are multiple rules governing which password hint is shown during the recov | Custom URL | No | |----------------------|-----------------| | Saved to MSA | No | -| Saved to AAD | No | -| Saved to AD | No | +| Saved to Azure AD | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | No | | Creation time | **3PM** | | Key ID | T4521ER5 | -**Result:** only hint for successfully backed up password is displayed, although it is not the most recent password. +**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key. -![Example 4 of Customized Bitlocker Recovery Screen](./images/rp-example4.PNG) +![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG) #### Example 5 (multiple recovery passwords) @@ -372,8 +373,8 @@ There are multiple rules governing which password hint is shown during the recov | Custom URL | No | |----------------------|-----------------| | Saved to MSA | Yes | -| Saved to AAD | Yes | -| Saved to AD | No | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | | Printed | No | | Saved to file | No | | Creation time | **1PM** | @@ -383,16 +384,16 @@ There are multiple rules governing which password hint is shown during the recov | Custom URL | No | |----------------------|-----------------| | Saved to MSA | No | -| Saved to AAD | Yes | -| Saved to AD | No | +| Saved to Azure AD | Yes | +| Saved to Active Directory | No | | Printed | No | | Saved to file | No | | Creation time | **3PM** | | Key ID | 9DF70931 | -**Result:** hint for most recent password is displayed +**Result:** The hint for the most recent key is displayed. -![Example 5 of Customized Bitlocker Recovery Screen](./images/rp-example5.PNG) +![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG) ## Using additional recovery information From 34cfefdee4ba4bd51dd169c71cebaf9a615e338e Mon Sep 17 00:00:00 2001 From: Rafal Sosnowski <51166236+rafals2@users.noreply.github.com> Date: Thu, 2 Jul 2020 09:33:50 -0700 Subject: [PATCH 2/3] Update bitlocker-recovery-guide-plan.md changed MSA to Microsoft Account --- .../bitlocker-recovery-guide-plan.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 46d4a5e312..27f54d4520 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -282,7 +282,7 @@ BitLocker metadata has been enhanced in Windows 10, version 1903 to include info ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and managed service accounts (MSAs). +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. There are rules governing which hint is shown during the recovery (in order of processing): @@ -291,7 +291,7 @@ There are rules governing which hint is shown during the recovery (in order of p 2. Always display generic hint: "For more information go to http://aka.ms/recoverykeyfaq." 3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. 4. Prioritize keys with successful backup over keys that have never been backed up. -5. Prioritize backup hints in the following order for remote backup locations: MSA > Azure AD > Active Directory +5. Prioritize backup hints in the following order for remote backup locations: Microsoft Account > Azure AD > Active Directory 6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. 7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. 8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. @@ -302,7 +302,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Custom URL | Yes | |----------------------|------------| -| Saved to MSA | Yes | +| Saved to Microsoft Account | Yes | | Saved to Azure AD | No | | Saved to Active Directory | No | | Printed | No | @@ -316,7 +316,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Custom URL | Yes | |----------------------|------------| -| Saved to MSA | No | +| Saved to Microsoft Account | No | | Saved to Azure AD | No | | Saved to Active Directory | Yes | | Printed | No | @@ -330,7 +330,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Custom URL | No | |----------------------|------------| -| Saved to MSA | Yes | +| Saved to Microsoft Account | Yes | | Saved to Azure AD | Yes | | Saved to Active Directory | No | | Printed | Yes | @@ -344,7 +344,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Custom URL | No | |----------------------|-----------------| -| Saved to MSA | No | +| Saved to Microsoft Account | No | | Saved to Azure AD | No | | Saved to Acive Directory | No | | Printed | No | @@ -355,7 +355,7 @@ There are rules governing which hint is shown during the recovery (in order of p   | Custom URL | No | |----------------------|-----------------| -| Saved to MSA | No | +| Saved to Microsoft Account | No | | Saved to Azure AD | No | | Saved to Active Directory | No | | Printed | No | @@ -372,7 +372,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Custom URL | No | |----------------------|-----------------| -| Saved to MSA | Yes | +| Saved to Microsoft Account | Yes | | Saved to Azure AD | Yes | | Saved to Active Directory | No | | Printed | No | @@ -381,9 +381,8 @@ There are rules governing which hint is shown during the recovery (in order of p | Key ID | 99631A34 |     -| Custom URL | No | -|----------------------|-----------------| -| Saved to MSA | No | +| Custom URL | **No** | +| Saved to Microsoft Account | No | | Saved to Azure AD | Yes | | Saved to Active Directory | No | | Printed | No | From bf1cda0fdaffb37d62ce5642a4647da9c72840f8 Mon Sep 17 00:00:00 2001 From: Rafal Sosnowski <51166236+rafals2@users.noreply.github.com> Date: Thu, 2 Jul 2020 12:08:00 -0700 Subject: [PATCH 3/3] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 27f54d4520..51bd5d0a49 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -308,7 +308,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | No | | Saved to file | No | -**Result:** The hint for the MSA and custom URL are displayed. +**Result:** The hint for the Microsoft Account and custom URL are displayed. ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) @@ -336,7 +336,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | Yes | | Saved to file | Yes | -**Result:** Only the MSA hint is displayed. +**Result:** Only the Microsoft Account hint is displayed. ![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG)