Merge branch 'main' into v-smandalika-bl-rcvgdplan-4318240

2025-06-20 12:53:38 +00:00 · 2022-09-26 14:36:52 +05:30
parent abbab57628 4b936f85fe
commit 67e747f9a2
45 changed files with 1901 additions and 867 deletions
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@ -1,12 +1,13 @@
 ---
-title: BitLocker recovery guide (Windows 10)
-description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
-ms.reviewer:
-ms.prod: m365-security
+title: BitLocker recovery guide
+description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
+ms.prod: windows-client
+ms.technology: itpro-security
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
 ms.collection:
  - M365-security-compliance
  - highpri
@ -21,11 +22,11 @@ ms.custom: bitlocker

 - Windows 10
 - Windows 11
- Windows Server 2016 and above
+- Windows Server 2016 and later

 This topic describes how to recover BitLocker keys from AD DS.

-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
+Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.

 This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.

@ -44,7 +45,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker

 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:

- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 - Failing to boot from a network drive before booting from the hard drive.
@ -280,7 +281,16 @@ This error might occur if you updated the firmware. As a best practice, you shou

 ## Windows RE and its usage in BitLocker Device Encryption

-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+
+Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+
+To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
+To activate the on-screen keyboard, tap on a text input control.
+
+:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::

 ## BitLocker recovery screen

--- a/windows/security/information-protection/bitlocker/images/bl-narrator.png
+++ b/windows/security/information-protection/bitlocker/images/bl-narrator.png
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@ -30,25 +30,25 @@ sections:

      - question: Can an IT admin specify which files should be encrypted?
        answer: |
-          Yes, but it can only be done using the PDE APIs.
+          Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).

      - question: Do I need to use OneDrive as my backup provider?
        answer: |
-          No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+          No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.

      - question: What is the relation between Windows Hello for Business and PDE?
        answer: |
-          Windows Hello for Business unlocks PDE encryption keys during user sign on.
+          During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.

      - question: Can a file be encrypted with both PDE and EFS at the same time?
        answer: |
          No. PDE and EFS are mutually exclusive.

-      - question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
+      - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
        answer: |
          No. Accessing PDE encrypted files over RDP isn't currently supported.

-      - question: Can a PDE encrypted files be access via a network share?
+      - question: Can PDE encrypted files be access via a network share?
        answer: |
          No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.

@ -62,11 +62,11 @@ sections:

      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
        answer: |
-          No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.

      - question: What encryption method and strength does PDE use?
        answer: |
-          PDE uses AES-256 to encrypt files
+          PDE uses AES-CBC with a 256-bit key to encrypt files

 additionalContent: |
  ## See also
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@ -1,6 +1,6 @@
 ---
 title: Personal Data Encryption (PDE)
-description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
+description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.

 author: frankroj
 ms.author: frankroj
@ -40,19 +40,19 @@ ms.date: 09/22/2022
  - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
    - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
  - Backup solution such as [OneDrive](/onedrive/onedrive)
-    - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
+    - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
  - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-    - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+    - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
  - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
    - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
  - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
-    - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+    - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
  - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-    - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+    - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).

 ## PDE protection levels

-PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).

 | Item | Level 1 | Level 2 |
 |---|---|---|
@ -94,15 +94,15 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption

 | Item | PDE | BitLocker |
 |--|--|--|
-| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
-| Encryption keys discarded | At user sign out | At reboot |
+| Release of key | At user sign-in via Windows Hello for Business | At boot |
+| Keys discarded | At user sign-out | At reboot |
 | Files encrypted | Individual specified files | Entire volume/drive |
 | Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
 | Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |

 ## Differences between PDE and EFS

-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.

 To see if a file is encrypted with PDE or EFS:

@ -118,9 +118,7 @@ Encryption information including what encryption method is being used can be obt

 ## Disable PDE and decrypt files

-Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
-
-In certain scenarios a user may be able to manually decrypt a file using the following steps:
+Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:

 1. Open the properties of the file
 2. Under the **General** tab, select **Advanced...**
@ -139,4 +137,4 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a

 ## See also
 - [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)