deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Bitlocker recovery screen

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-06-18 07:59:57 -04:00
parent fbf67f4151
commit 7923bcfd9d
15 changed files with 171 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -1,8 +1,8 @@
---
title: BCD settings and BitLocker
title: BCD settings and BitLocker
description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# Boot Configuration Data settings and BitLocker

2
windows/security/operating-system-security/data-protection/bitlocker/configure.md
View File

@ -2,7 +2,7 @@
title: Configure BitLocker
description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# Configure BitLocker

4
windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
View File

@ -1,8 +1,8 @@
---
title: BitLocker countermeasures
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
ms.topic: concept-article
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker countermeasures

2
windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
View File

@ -2,7 +2,7 @@
title: Protect cluster shared volumes and storage area networks with BitLocker
description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>

2
windows/security/operating-system-security/data-protection/bitlocker/faq.yml
View File

@ -3,7 +3,7 @@ metadata:
title: BitLocker FAQ
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
ms.date: 10/30/2023
ms.date: 06/18/2024
title: BitLocker FAQ
summary: Learn more about BitLocker by reviewing the frequently asked questions.

2
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -2,7 +2,7 @@
title: BitLocker overview
description: Learn about BitLocker practical applications and requirements.
ms.topic: overview
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker overview

2
windows/security/operating-system-security/data-protection/bitlocker/install-server.md
View File

@ -2,7 +2,7 @@
title: Install BitLocker on Windows Server
description: Learn how to install BitLocker on Windows Server.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>

6
windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
View File

@ -1,8 +1,8 @@
---
title: Network Unlock
title: Network Unlock
description: Learn how BitLocker Network Unlock works and how to configure it.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# Network Unlock
@ -255,7 +255,7 @@ The subnet policy configuration file must use a `[SUBNETS]` section to identify
```ini
[SUBNETS]
SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
SUBNET2=10.185.252.200/28
SUBNET2=10.185.252.200/28
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
```

4
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -2,7 +2,7 @@
title: BitLocker operations guide
description: Learn how to use different tools to manage and operate BitLocker.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker operations guide
@ -239,7 +239,7 @@ Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw
**Example**: Use PowerShell to enable BitLocker with a TPM protector
```powershell
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:

2
windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
View File

@ -2,7 +2,7 @@
title: BitLocker planning guide
description: Learn how to plan for a BitLocker deployment in your organization.
ms.topic: concept-article
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker planning guide

20
windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
View File

@ -2,7 +2,7 @@
title: BitLocker preboot recovery screen
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
ms.topic: concept-article
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker preboot recovery screen
@ -72,10 +72,10 @@ There are rules governing which hint is shown during the recovery (in the order
:::row:::
:::column span="2":::
In this scenario, the recovery password is saved to a file
> [!IMPORTANT]
> It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft account, Microsoft Entra ID or Active Directory backup.
:::column-end:::
:::column span="2":::
:::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-hint.png" border="false":::
@ -92,7 +92,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Microsoft account
- not printed
- not saved to a file
**Result:** the hints for the custom URL and the Microsoft account (**https://aka.ms/myrecoverykey**) are displayed.
:::column-end:::
:::column span="2":::
@ -110,7 +110,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Active Directory
- not printed
- not saved to a file
**Result:** only the custom URL is displayed.
:::column-end:::
:::column span="2":::
@ -129,7 +129,7 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to Microsoft Entra ID
- printed
- saved to file
**Result:** only the Microsoft account hint (**https://aka.ms/myrecoverykey**) is displayed.
:::column-end:::
:::column span="2":::
@ -149,12 +149,12 @@ There are rules governing which hint is shown during the recovery (in the order
- saved to file
- creation time: **1PM**
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
The recovery password #2 is:
- not backed up
- creation time: **3PM**
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
**Result:** only the hint for the successfully backed up key is displayed, even if it isn't the most recent key.
:::column-end:::
:::column span="2":::
@ -175,12 +175,12 @@ There are rules governing which hint is shown during the recovery (in the order
- Saved to Microsoft Entra ID
- creation time: **1PM**
- key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
The recovery password #2 is:
- Saved to Microsoft Entra ID
- creation time: **3PM**
- key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
**Result:** the Microsoft Entra ID hint (**https://aka.ms/aadrecoverykey**), which is the most recent key saved, is displayed.
:::column-end:::
:::column span="2":::

2
windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery overview
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker recovery overview

4
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
ms.date: 10/30/2023
ms.date: 06/18/2024
---
# BitLocker recovery process
@ -83,7 +83,7 @@ function Get-EntraBitLockerKeys{
foreach ($keyId in $keyIds) {
$recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key
Write-Host -ForegroundColor White " Key id: $keyid"
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey"
}
} else {
Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName"

141
windows/security/operating-system-security/data-protection/bitlocker/recovery-screen.md Normal file
View File

@ -0,0 +1,141 @@
---
title: BitLocker recovery screen
description:
ms.topic: how-to
ms.date: 06/18/2024
---
# BitLocker recovery screen
[!INCLUDE [insider-note](../../../../../includes/insider/insider-note.md)]
BitLocker recovery errors and their causes
BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism.
Prompting for the recovery password or other recovery method defends against suspected unauthorized access to user data by an attacker. Providing the recovery password allows BitLocker to confirm that the owner of the device is in posession of the device in recovery and that the device and stored data should become accessible.
For mroe information about BitLocker recovery, see this page.
## Initiated by user
E_FVE_USER_REQUESTED_RECOVERY
BitLocker entered recovery mode because of a transition from a screen with the option to ESC to recovery mode.
E_FVE_BOOT_DEBUG_ENABLED
BitLocker entered recovery mode because boot debugging mode has been enabled. To remediate this issue, remove the boot debugging option from the boot configuration database.
## Code integrity
Driver signature enforcement is used to ensure code integrity of the operating system.
E_FVE_CI_DISABLED
BitLocker entered recovery mode because driver signature enforcement has been disabled.
## Device lockout
Device lockout threshold functionality allows an administrator to configure Windows logon with BitLocker protection. After the configured number of failed Windows logon attempts, the device will be rebooted and can only be recovered by providing a BitLocker recovery method.
This feature is configurable with the "Interactive logon: Machine account lockout threshold" policy.
E_FVE_DEVICE_LOCKEDOUT
BitLocker entered recovery mode because device lockout has been triggered due to too many incorrect sign in attempts. A BitLocker recovery method is required to return to the logon screen.
E_FVE_DEVICE_LOCKOUT_MISMATCH
BitLocker entered recovery mode because the device lockout counter is out of sync. A BitLocker recovery method is required to return to the logon screen.
## Boot configuration
The Boot Configuration Database (BCD) contains critical information for the Windows boot environment. More information about how BitLocker uses the BCD is available here.
E_FVE_BAD_CODE_ID, E_FVE_BAD_CODE_OPTION
BitLocker entered recovery mode because a boot application has changed.
BitLocker tracks the data inside the BCD. BitLocker recovery can occur when this data changes without warning. Refer to the recovery screen to find the boot application that changed.
To remediate this issue, restore the BCD configuration. A BitLocker recovery method is required to unlock the device if the BCD configuration cannot be restored before booting.
## TPM
The Trusted Platform Module (TPM) is cryptographic hardware or firmware used to secure a computer. More information about the TPM is available at Trusted Platform Module Technology Overview - Windows Security | Microsoft Learn.
BitLocker creates a TPM protector to manage protection of the encryption keys used to encrypt your data. At boot, BitLocker attempts to communicate with the TPM to unlock the device and access your data. More information about how BitLocker uses the TPM is available at BitLocker overview - Windows Security | Microsoft Learn.
E_FVE_TPM_FAILURE, E_FVE_TPM_DISABLED, E_FVE_TPM_INVALIDATED, E_FVE_BAD_SRK, E_FVE_TPM_NOT_DETECTED, E_MATCHING_PCRS_TPM_FAILURE
BitLocker entered recovery mode because of a failure with the Trusted Platform Module.
E_FVE_TPM_FAILURE is a catch-all for other TPM errors not detailed below.
E_FVE_TPM_DISABLED is displayed when the TPM is present but has been disabled for use before or during boot.
E_FVE_TPM_INVALIDATED is displayed when a present TPM has been invalidated.
E_FVE_BAD_SRK indicates that the TPM's internal Storage Root Key has been corrupted.
E_FVE_TPM_NOT_DETECTED is displayed when the booting system does not have a TPM or does not recognize a TPM that may exist
E_MATCHING_PCRS_TPM_FAILURE means that the TPM unexpectedly failed when unsealing the encryption key.
## Protector
### TPM protectors
The TPM contains multiple Platform Configuration Registers (PCRs) that can be used in the validation profile of the BitLocker TPM protector. The PCRs are used to validate the integrity of the boot process, that is, that the boot configuration and boot flow hasn't been tampered with.
BitLocker recovery can be the result of unexpected changes in the PCRs used in the TPM protector validation profile. Changes to PCRs not used in the TPM protector profile do not influence BitLocker.
### `E_FVE_PCR_MISMATCH`
BitLocker entered recovery mode because your device's configuration has changed.
This may have happened because:
- A disc or USB device was inserted. Removing it and restarting your device may fix this problem
- A firmware update was applied without updating the TPM protector
- Any example at https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview#bitlocker-recovery-scenarios
A recovery method is required to unlock the device.
#### Special cases for PCR 7
If the TPM protector uses PCR 7 in the validation profile, BitLocker expects PCR 7 to measure a specific set of events for Secure Boot. These measurements are defined in the UEFI spec. More information is also available at Trusted Execution Environment EFI Protocol - Windows 8.1 HCK | Microsoft Learn.
### `E_FVE_SECUREBOOT_DISABLED`
BitLocker entered recovery mode because Secure Boot has been disabled.
To access the encryption key and unlock your device, BitLocker expects Secure Boot to be on. Re-enabling Secure Boot and rebooting the system may fix the recovery issue. Otherwise, a recovery method is required to access the device.
### `E_FVE_SECUREBOOT_CHANGED`
BitLocker entered recovery mode because the Secure Boot configuration unexpectedly changed.
The boot configuration measured in PCR 7 changed. This may be either because of:
- An additional measurement currently present that was not present when BitLocker updated the TPM protector
- A missing measurement that was present when BitLocker last updated the TPM protector but now is not present
- An expected event has a different measurement
A recovery method is required to unlock the device.
## Unknown
### `E_FVE_RECOVERY_ERROR_UNKNOWN`
BitLocker entered recovery mode because of an unknown error. A recovery method is required to unlock the device.

2
windows/security/operating-system-security/data-protection/bitlocker/toc.yml
View File

@ -17,6 +17,8 @@ items:
href: recovery-process.md
- name: Preboot recovery screen
href: preboot-recovery-screen.md
- name: Preboot recovery screen refresh
href: recovery-screen.md
- name: How-to guides
items:
- name: Install BitLocker on Windows Server