deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-04 18:00:47 -04:00
parent f0b3924c9e
commit 8137ceb43a
13 changed files with 63 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/operating-system-security/data-protection/bitlocker/_todelete_bitlocker-deployment-comparison.md
View File

@ -1,42 +0,0 @@
---
title: BitLocker deployment comparison
description: Learn about the differences between Microsoft Intune and Microsoft Configuration Manager when managing BitLocker.
ms.topic: conceptual
ms.date: 10/02/2023
---
# BitLocker deployment comparison
This article compares the BitLocker management options between Microsoft Intune and Microsoft Configuration Manager.
| Requirements | Microsoft Intune | Microsoft Configuration Manager |
|--|--|--|
| *Supported Windows client editions* | Pro, Enterprise, Pro Education, Education | Pro, Enterprise, Pro Education, Education |
| *Windows server support* | ❌ | ❌ |
| *Supported domain-joined status* | Microsoft Entra joined and hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined |
| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom |
| *Cloud or on premises* | Cloud | On premises |
| *Additional agent required?* | No (device enrollment only) | Configuration Manager client |
| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console |
| *Compliance reporting capabilities* | ✅ | ✅ |
| *Force encryption* | ✅ | ✅ |
| *Allow recovery password* | ✅ | ✅ |
| *Manage startup authentication* | ✅ | ✅ |
| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ |
| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ |
| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ |
| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database |
| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Both | Active Directory only |
| *Customize preboot message and recovery link* | ✅ | ✅ |
| *Allow/deny key file creation* | ✅ | ✅ |
| *Deny Write permission to unprotected drives* | ✅ | ✅ |
| *Can be administered outside company network* | ✅ | ✅ |
| *Support for organization unique IDs* | ✅ | ✅ |
| *Self-service recovery* | ✅ | ✅ |
| *Recovery password rotation for fixed and operating environment drives* | ✅ | ✅ |
| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | ❌ |
| *Wait to complete encryption until recovery information is backed up to Active Directory* | ✅ | ✅ |
| *Allow or deny Data Recovery Agent* | ✅ | ❌ |
| *Unlock a volume using certificate with custom object identifier* | ❌ | ❌ |
| *Prevent memory overwrite on restart* | ✅ | ✅ |
| *Manage auto-unlock functionality* | ✅ | ✅ |

43
windows/security/operating-system-security/data-protection/bitlocker/configure.md
View File

@ -8,7 +8,7 @@ ms.date: 10/03/2023
# BitLocker settings and configuration
This article describes the Personal Data Encryption (BitLocker) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
<!--
## BitLocker settings
## Configure BitLocker with Microsoft Intune
@ -27,45 +27,23 @@ This article describes the Personal Data Encryption (BitLocker) settings and how
- Review the [Personal Data Encryption (BitLocker) FAQ](faq.yml)
This article describes how to configure BitLocker using Microsoft Intune or group policy.
## Configure BitLocker
## Configure Credential Guard
This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
## Enable Credential Guard
To enable Credential Guard, you can use:
To configure BitLocker, you can use:
- Microsoft Intune/MDM
- Group policy
- Registry
### Configure Credential Guard with group policy
### Configure Credential Guard with registry settings
### Configure Credential Guard Microsoft Intune
### Verify if Credential Guard is enabled
-->
#### System Information
## BitLocker management
#### PowerShell
#### Event viewer
## Disable Credential Guard
### Disable Credential Guard with Intune
### Disable Credential Guard with group policy
### Disable Credential Guard with registry settings
## Next steps
# BitLocker management
The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction.
@ -77,11 +55,6 @@ The ideal solution for BitLocker management is to eliminate the need for IT admi
Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
> [!IMPORTANT]
> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
## Manage Microsoft Entra joined devices
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption.md) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
@ -104,5 +77,3 @@ If a server is being installed manually, such as a stand-alone server, then choo
Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](network-unlock.md).
For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles).

2
windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
View File

@ -136,7 +136,7 @@ When the cluster service owns a disk resource already, the disk resource needs t
2. Ensure new storage is formatted as NTFS.
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a Command Prompt window. For example:
```cmd
manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync

2
windows/security/operating-system-security/data-protection/bitlocker/enable-server.md
View File

@ -88,7 +88,7 @@ To install BitLocker using the `dism.exe` module, use the following command:
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
```
This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
This Command Prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All

4
windows/security/operating-system-security/data-protection/bitlocker/faq.yml
View File

@ -204,7 +204,7 @@ sections:
- question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
answer: |
The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated Command Prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
```cmd
manage-bde.exe -protectors -delete %systemdrive% -type tpm
@ -314,7 +314,7 @@ sections:
For more info, see [BitLocker policy settings](policy-settings.md).
The BitLocker Windows Management Instrumentation (WMI) interface allows administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
The BitLocker Windows Management Instrumentation (WMI) interface allows administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated Command Prompt:
```powershell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive

20
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md
View File

@ -1,20 +0,0 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/24/2023
ms.topic: include
---
### Allow suspension of BitLocker protection
When enabled, this policy allows the suspension of BitLocker protection. When disabled, it prevents suspending BitLocker protection.
The default value is *enabled*.
> [!NOTE]
> This policy is applicable to Windows insider builds.
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|
| **GPO** | Not available |

4
windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
View File

@ -234,7 +234,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=
_continue_ = "1.3.6.1.4.1.311.67.1.1"
```
3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
3. Open an elevated Command Prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
```cmd
certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
@ -384,7 +384,7 @@ Gather the following files to troubleshoot BitLocker Network Unlock.
Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
- Start an elevated command prompt, and then run the following command:
- Start an elevated Command Prompt, and then run the following command:
```cmd
wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true

28
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -15,7 +15,7 @@ There are differnt tools and options to manage and operate BitLocker:
- the BitLocker drive encryption tools
- Control Panel
The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker control panel. They are appropriate to use for automated deployments and other scripting scenarios.\
The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLockerControl Panel. They are appropriate to use for automated deployments and other scripting scenarios.\
The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks.
This article describes the BitLocker management tools and how to use them, providing practical examples.
@ -33,7 +33,7 @@ The BitLocker drive encryption tools include the two command-line tools:
## Example: check the BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLockerControl Panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
Follow the instructions below verify the status of BitLocker, selecting the tool of your choice.
@ -89,7 +89,7 @@ Volume C: [Local Disk]
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
Checking BitLocker status with the control panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include:
Checking BitLocker status with theControl Panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include:
| Status | Description |
| - | - |
@ -98,7 +98,7 @@ Checking BitLocker status with the control panel is a common method used by most
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status.
If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use theControl Panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status.
---
@ -224,7 +224,7 @@ Or users can choose to add protectors to the volume. It is recommended to add at
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
Encrypting volumes with the BitLocker control panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
Encrypting volumes with the BitLockerControl Panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLockerControl Panel is BitLocker Drive Encryption. The BitLockerControl Panel supports encrypting operating system, fixed data, and removable data volumes. The BitLockerControl Panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLockerControl Panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
@ -257,7 +257,7 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen
> Ideally, a recovery key should be stored separate from the device itself.
> [!NOTE]
> After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
> After a recovery key is created, the BitLockerControl Panel can be used to make additional copies of the recovery key.
1. The **BitLocker Drive Encryption Wizard** prompts how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** has two options that determine how much of the drive is encrypted:
@ -291,13 +291,13 @@ For the operating system volume the **BitLocker Drive Encryption Wizard** presen
After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** starts encryption. A reboot may be initiated to start encryption. If a reboot is initiated, if there was no TPM and a password was specified, the password must be entered to boot into the operating system volume.
Users can check encryption status by checking the system notification area or the BitLocker control panel.
Users can check encryption status by checking the system notification area or the BitLockerControl Panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
### Data volume
Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
Encrypting data volumes using the BitLockerControl Panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLockerControl Panel to begin the **BitLocker Drive Encryption Wizard**.
### OneDrive option
@ -307,7 +307,7 @@ Users can verify whether the recovery key is saved properly by checking OneDrive
### Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLockerControl Panel.
---
@ -394,7 +394,7 @@ or additional protectors can be added to the volume first. It's recommended to a
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
Using theControl Panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
@ -437,11 +437,11 @@ manage-bde.exe -status C:
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel applet, users can select the **Turn off BitLocker** option to begin the process.\
After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel.
BitLocker decryption using theControl Panel is done using a wizard. TheControl Panel can be called from Windows Explorer or by opening it directly. After opening the BitLockerControl Panel applet, users can select the **Turn off BitLocker** option to begin the process.\
After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to theControl Panel.
The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
TheControl Panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
Once decryption is complete, the drive updates its status in theControl Panel and becomes available for encryption.
---

4
windows/security/operating-system-security/data-protection/bitlocker/plan.md
View File

@ -120,9 +120,9 @@ Windows RE can also be used from boot media other than the local hard disk. If W
BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLockerControl Panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use theControl Panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
When using theControl Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
Administrators can enable BitLocker before to operating system deployment from the Windows Pre-installation Environment (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the Used Disk Space Only option, then this step takes only a few seconds. And, it incorporates into the regular deployment processes.

10
windows/security/operating-system-security/data-protection/bitlocker/policy-settings.md
View File

@ -32,23 +32,23 @@ The following table lists the BitLocker policies applicable to all drive types,
|Policy name| CSP | GPO |
|-|-|-|
|[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
|[Allow suspension of BitLocker protection](#allow-suspension-of-bitlocker-protection)|✅|❌|
|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
|[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
|[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
|[Require device encryption](#require-device-encryption)|✅|❌|
|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
[!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
[!INCLUDE [allow-suspension-of-bitlocker-protection](includes/allow-suspension-of-bitlocker-protection.md)]
[!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
[!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
[!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
[!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
[!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
[!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
[!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
#### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
@ -71,7 +71,6 @@ The following table lists the BitLocker policies applicable to all drive types,
|[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅|
|[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅|
|[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅|
|[Require device encryption](#require-device-encryption)|✅|❌|
|[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅|
|[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅|
@ -91,7 +90,6 @@ The following table lists the BitLocker policies applicable to all drive types,
[!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)]
[!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)]
[!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)]
[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
[!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)]
[!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)]
@ -137,9 +135,9 @@ The following table lists the BitLocker policies applicable to all drive types,
---
## BitLocker and policies compliance
## BitLocker and policcy settings compliance
If a device isn't compliant with the configured policies, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in policy settings.
If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in policy settings.
If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password but then policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [`manage-bde`](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.

12
windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md
View File

@ -116,7 +116,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes
2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
3. At the command prompt, enter the following command:
3. At the Command Prompt, enter the following command:
```cmd
manage-bde.exe -forcerecovery <BitLockerVolume>
@ -128,7 +128,7 @@ Before a thorough BitLocker recovery process is created, it's recommended to tes
2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
3. At the command prompt, enter the following command:
3. At the Command Prompt, enter the following command:
```cmd
manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
@ -468,7 +468,7 @@ If the recovery methods discussed earlier in this document don't unlock the volu
> [!NOTE]
> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieve-the-bitlocker-key-package).
## Resetting recovery passwords
@ -507,7 +507,7 @@ The recovery password and be invalidated and reset in two ways:
> [!WARNING]
> The braces `{}` must be included in the ID string.
<!--
## Retrieve the BitLocker key package
Two methods can be used to retrieve the key package as described in Using Additional Recovery Information:
@ -518,7 +518,7 @@ Export a new key package from an unlocked, BitLocker-protected volume. Local adm
strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
-->
### Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device
@ -568,6 +568,8 @@ Device name: DESKTOP-53O32QI
Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4
BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682
```
### Repair tool
The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier

4
windows/security/operating-system-security/data-protection/bitlocker/toc.yml
View File

@ -17,9 +17,9 @@ items:
href: operations-guide.md
- name: Network Unlock
href: network-unlock.md
- name: Protect cluster shared volumes and storage area networks with BitLocker
- name: Cluster shared volumes and storage area networks
href: csv-san.md
- name: BitLocker Recovery Guide
- name: BitLocker recovery guide
href: recovery-guide.md
- name: BitLocker Recovery Password Viewer
href: recovery-password-viewer.md