From 8137ceb43a410fb5c6ff2243ba7b2548f64761e8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 4 Oct 2023 18:00:47 -0400 Subject: [PATCH] updates --- ...blishing.redirection.windows-security.json | 22 +++++++++- ...odelete_bitlocker-deployment-comparison.md | 42 ------------------ .../data-protection/bitlocker/configure.md | 43 +++---------------- .../data-protection/bitlocker/csv-san.md | 2 +- .../bitlocker/enable-server.md | 2 +- .../data-protection/bitlocker/faq.yml | 4 +- ...llow-suspension-of-bitlocker-protection.md | 20 --------- .../bitlocker/network-unlock.md | 4 +- .../bitlocker/operations-guide.md | 28 ++++++------ .../data-protection/bitlocker/plan.md | 4 +- .../bitlocker/policy-settings.md | 10 ++--- .../bitlocker/recovery-guide.md | 12 +++--- .../data-protection/bitlocker/toc.yml | 4 +- 13 files changed, 63 insertions(+), 134 deletions(-) delete mode 100644 windows/security/operating-system-security/data-protection/bitlocker/_todelete_bitlocker-deployment-comparison.md delete mode 100644 windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 2490ae95e9..bb4fc5e7f4 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7452,13 +7452,33 @@ }, { "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md", - "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/manage", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/operations-guide", "redirect_document_id": false }, { "source_path": "windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/csv-san", "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/enable-server", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/_todelete_bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/_todelete_bitlocker-deployment-comparison.md deleted file mode 100644 index c0a7e8005b..0000000000 --- a/windows/security/operating-system-security/data-protection/bitlocker/_todelete_bitlocker-deployment-comparison.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: BitLocker deployment comparison -description: Learn about the differences between Microsoft Intune and Microsoft Configuration Manager when managing BitLocker. -ms.topic: conceptual -ms.date: 10/02/2023 ---- - -# BitLocker deployment comparison - -This article compares the BitLocker management options between Microsoft Intune and Microsoft Configuration Manager. - -| Requirements | Microsoft Intune | Microsoft Configuration Manager | -|--|--|--| -| *Supported Windows client editions* | Pro, Enterprise, Pro Education, Education | Pro, Enterprise, Pro Education, Education | -| *Windows server support* | ❌ | ❌ | -| *Supported domain-joined status* | Microsoft Entra joined and hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined | -| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | -| *Cloud or on premises* | Cloud | On premises | -| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | -| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | -| *Compliance reporting capabilities* | ✅ | ✅ | -| *Force encryption* | ✅ | ✅ | -| *Allow recovery password* | ✅ | ✅ | -| *Manage startup authentication* | ✅ | ✅ | -| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | -| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | -| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | -| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database | -| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Both | Active Directory only | -| *Customize preboot message and recovery link* | ✅ | ✅ | -| *Allow/deny key file creation* | ✅ | ✅ | -| *Deny Write permission to unprotected drives* | ✅ | ✅ | -| *Can be administered outside company network* | ✅ | ✅ | -| *Support for organization unique IDs* | ✅ | ✅ | -| *Self-service recovery* | ✅ | ✅ | -| *Recovery password rotation for fixed and operating environment drives* | ✅ | ✅ | -| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | ❌ | -| *Wait to complete encryption until recovery information is backed up to Active Directory* | ✅ | ✅ | -| *Allow or deny Data Recovery Agent* | ✅ | ❌ | -| *Unlock a volume using certificate with custom object identifier* | ❌ | ❌ | -| *Prevent memory overwrite on restart* | ✅ | ✅ | -| *Manage auto-unlock functionality* | ✅ | ✅ | diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md index 89f023a5cd..bbc5a0a2da 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md @@ -8,7 +8,7 @@ ms.date: 10/03/2023 # BitLocker settings and configuration This article describes the Personal Data Encryption (BitLocker) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP). - + -#### System Information +## BitLocker management -#### PowerShell - -#### Event viewer - -## Disable Credential Guard - -### Disable Credential Guard with Intune - -### Disable Credential Guard with group policy - -### Disable Credential Guard with registry settings - -## Next steps - - -# BitLocker management The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. @@ -77,11 +55,6 @@ The ideal solution for BitLocker management is to eliminate the need for IT admi Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md). -Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). - -> [!IMPORTANT] -> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information. - ## Manage Microsoft Entra joined devices Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption.md) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online. @@ -104,5 +77,3 @@ If a server is being installed manually, such as a stand-alone server, then choo Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](network-unlock.md). For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles). - - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md index 46d74af3bf..22c4c0c2c7 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md @@ -136,7 +136,7 @@ When the cluster service owns a disk resource already, the disk resource needs t 2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example: +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a Command Prompt window. For example: ```cmd manage-bde.exe -on -used -RP -sid domain\CNO$ -sync diff --git a/windows/security/operating-system-security/data-protection/bitlocker/enable-server.md b/windows/security/operating-system-security/data-protection/bitlocker/enable-server.md index 2b23898a94..d2d5bc8bad 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/enable-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/enable-server.md @@ -88,7 +88,7 @@ To install BitLocker using the `dism.exe` module, use the following command: Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` -This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: +This Command Prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml index c0eed9c67a..65d30718ad 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml @@ -204,7 +204,7 @@ sections: - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? answer: | - The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN: + The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated Command Prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN: ```cmd manage-bde.exe -protectors -delete %systemdrive% -type tpm @@ -314,7 +314,7 @@ sections: For more info, see [BitLocker policy settings](policy-settings.md). - The BitLocker Windows Management Instrumentation (WMI) interface allows administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt: + The BitLocker Windows Management Instrumentation (WMI) interface allows administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated Command Prompt: ```powershell $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md deleted file mode 100644 index c1d0ba1e66..0000000000 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 09/24/2023 -ms.topic: include ---- - -### Allow suspension of BitLocker protection - -When enabled, this policy allows the suspension of BitLocker protection. When disabled, it prevents suspending BitLocker protection. - -The default value is *enabled*. - -> [!NOTE] -> This policy is applicable to Windows insider builds. - -| | Path | -|--|--| -| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)| -| **GPO** | Not available | \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md index 11f7b07e86..c59d936280 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md @@ -234,7 +234,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN= _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` -3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name: +3. Open an elevated Command Prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name: ```cmd certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer @@ -384,7 +384,7 @@ Gather the following files to troubleshoot BitLocker Network Unlock. Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging. - - Start an elevated command prompt, and then run the following command: + - Start an elevated Command Prompt, and then run the following command: ```cmd wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md index 6a8dbf973b..03fc9b972d 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md @@ -15,7 +15,7 @@ There are differnt tools and options to manage and operate BitLocker: - the BitLocker drive encryption tools - Control Panel -The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker control panel. They are appropriate to use for automated deployments and other scripting scenarios.\ +The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLockerControl Panel. They are appropriate to use for automated deployments and other scripting scenarios.\ The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks. This article describes the BitLocker management tools and how to use them, providing practical examples. @@ -33,7 +33,7 @@ The BitLocker drive encryption tools include the two command-line tools: ## Example: check the BitLocker status -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLockerControl Panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. Follow the instructions below verify the status of BitLocker, selecting the tool of your choice. @@ -89,7 +89,7 @@ Volume C: [Local Disk] #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -Checking BitLocker status with the control panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include: +Checking BitLocker status with theControl Panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include: | Status | Description | | - | - | @@ -98,7 +98,7 @@ Checking BitLocker status with the control panel is a common method used by most | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use theControl Panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status. --- @@ -224,7 +224,7 @@ Or users can choose to add protectors to the volume. It is recommended to add at #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -Encrypting volumes with the BitLocker control panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLockerControl Panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLockerControl Panel is BitLocker Drive Encryption. The BitLockerControl Panel supports encrypting operating system, fixed data, and removable data volumes. The BitLockerControl Panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLockerControl Panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume). @@ -257,7 +257,7 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen > Ideally, a recovery key should be stored separate from the device itself. > [!NOTE] - > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key. + > After a recovery key is created, the BitLockerControl Panel can be used to make additional copies of the recovery key. 1. The **BitLocker Drive Encryption Wizard** prompts how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** has two options that determine how much of the drive is encrypted: @@ -291,13 +291,13 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** starts encryption. A reboot may be initiated to start encryption. If a reboot is initiated, if there was no TPM and a password was specified, the password must be entered to boot into the operating system volume. -Users can check encryption status by checking the system notification area or the BitLocker control panel. +Users can check encryption status by checking the system notification area or the BitLockerControl Panel. Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. ### Data volume -Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**. +Encrypting data volumes using the BitLockerControl Panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLockerControl Panel to begin the **BitLocker Drive Encryption Wizard**. ### OneDrive option @@ -307,7 +307,7 @@ Users can verify whether the recovery key is saved properly by checking OneDrive ### Using BitLocker within Windows Explorer -Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. +Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLockerControl Panel. --- @@ -394,7 +394,7 @@ or additional protectors can be added to the volume first. It's recommended to a #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. +Using theControl Panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. Once BitLocker protector activation is completed, the completion notice is displayed. @@ -437,11 +437,11 @@ manage-bde.exe -status C: #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel applet, users can select the **Turn off BitLocker** option to begin the process.\ -After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. +BitLocker decryption using theControl Panel is done using a wizard. TheControl Panel can be called from Windows Explorer or by opening it directly. After opening the BitLockerControl Panel applet, users can select the **Turn off BitLocker** option to begin the process.\ +After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to theControl Panel. -The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. +TheControl Panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. -Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. +Once decryption is complete, the drive updates its status in theControl Panel and becomes available for encryption. --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/plan.md b/windows/security/operating-system-security/data-protection/bitlocker/plan.md index aaf5163a79..fa50e850db 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/plan.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/plan.md @@ -120,9 +120,9 @@ Windows RE can also be used from boot media other than the local hard disk. If W BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM. -To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. +To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLockerControl Panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use theControl Panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated. -When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status. +When using theControl Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status. Administrators can enable BitLocker before to operating system deployment from the Windows Pre-installation Environment (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the Used Disk Space Only option, then this step takes only a few seconds. And, it incorporates into the regular deployment processes. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md index ce9401578b..497ce21721 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md @@ -32,23 +32,23 @@ The following table lists the BitLocker policies applicable to all drive types, |Policy name| CSP | GPO | |-|-|-| |[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌| -|[Allow suspension of BitLocker protection](#allow-suspension-of-bitlocker-protection)|✅|❌| |[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅| |[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅| |[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌| |[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅| |[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅| |[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅| +|[Require device encryption](#require-device-encryption)|✅|❌| |[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅| [!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)] -[!INCLUDE [allow-suspension-of-bitlocker-protection](includes/allow-suspension-of-bitlocker-protection.md)] [!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)] [!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)] [!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)] [!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)] [!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)] [!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)] +[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)] [!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)] #### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os) @@ -71,7 +71,6 @@ The following table lists the BitLocker policies applicable to all drive types, |[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅| |[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅| |[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅| -|[Require device encryption](#require-device-encryption)|✅|❌| |[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅| |[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅| @@ -91,7 +90,6 @@ The following table lists the BitLocker policies applicable to all drive types, [!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)] [!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)] [!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)] -[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)] [!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)] [!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)] @@ -137,9 +135,9 @@ The following table lists the BitLocker policies applicable to all drive types, --- -## BitLocker and policies compliance +## BitLocker and policcy settings compliance -If a device isn't compliant with the configured policies, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in policy settings. +If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in policy settings. If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password but then policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [`manage-bde`](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md index 4ec300b0ea..24bf776ecd 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md @@ -116,7 +116,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes 2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. -3. At the command prompt, enter the following command: +3. At the Command Prompt, enter the following command: ```cmd manage-bde.exe -forcerecovery @@ -128,7 +128,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes 2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**. -3. At the command prompt, enter the following command: +3. At the Command Prompt, enter the following command: ```cmd manage-bde.exe -ComputerName -forcerecovery @@ -468,7 +468,7 @@ If the recovery methods discussed earlier in this document don't unlock the volu > [!NOTE] > The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. -The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package). +The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieve-the-bitlocker-key-package). ## Resetting recovery passwords @@ -507,7 +507,7 @@ The recovery password and be invalidated and reset in two ways: > [!WARNING] > The braces `{}` must be included in the ID string. - + ### Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device @@ -568,6 +568,8 @@ Device name: DESKTOP-53O32QI Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4 BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 ``` + + ### Repair tool The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index ac71140602..d22f6837fa 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -17,9 +17,9 @@ items: href: operations-guide.md - name: Network Unlock href: network-unlock.md - - name: Protect cluster shared volumes and storage area networks with BitLocker + - name: Cluster shared volumes and storage area networks href: csv-san.md - - name: BitLocker Recovery Guide + - name: BitLocker recovery guide href: recovery-guide.md - name: BitLocker Recovery Password Viewer href: recovery-password-viewer.md