deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-27 09:49:02 -04:00
parent 5fec58a03e
commit 84e23a0895
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
View File

@ -188,7 +188,7 @@ For more information about how to configure Network unlock feature, see [Network
## BitLocker recovery
Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to BitLocker recovery, which are described in the [BitLocker recovery guide](recovery-guide.md).
Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to design a BitLocker recovery model, which are described in the [BitLocker recovery guide](recovery-guide.md).
## Monitor BitLocker

12
windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md
View File

@ -88,17 +88,17 @@ Answering the questions helps to determine the best BitLocker recovery process f
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
## Backup of recovery information
### User-initaited backup
In order to recover BitLocker, you need to have access to the recovery password. This means that all recovery scenarios start with the assumption that the recovery password is available. The BitLocker recovery password is unique to the computer it was created on and can be saved in various ways, such as on paper, on a USB startup device, in the Active Directory directory service, or in a file on a network. However, having access to this key allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it is crucial for your organization to establish procedures to control access to recovery passwords and ensure that they are stored securely, separate from the computers they protect.
#### OneDrive option
There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
Users can verify whether the recovery key is saved properly by checking OneDrive for the *BitLocker* folder, which is created automatically during the save process. The folder contains two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Centralized backup
## Centralized backup
The preferred backup methodology in an organization is to automatically store BitLocker recovery information in a central location. Depending on the organization's requirements, the recovery information can be stored in Microsoft Entra ID, AD DS, or file shares.
@ -152,7 +152,6 @@ A file with a file name format of `BitLocker Key Package {<id>}.KPG` is created
> [!NOTE]
> To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume.
### Multiple recovery passwords
If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
@ -161,11 +160,12 @@ To make sure the correct password is provided and/or to prevent providing the in
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
#### Data Recovery Agents
### Data Recovery Agents
DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.
The benefit of using a DRA over password or key recovery is that the DRA acts as a *master key* for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume."
To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.

12
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -18,6 +18,18 @@ This article describes how to recover BitLocker keys from Microsoft Entra ID and
In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
A recovery key can't be stored in any of the following locations:
- The drive being encrypted
- The root directory of a non-removable drive
- An encrypted volume
> [!TIP]
> Ideally, a recovery key should be stored separate from the device itself.
> [!NOTE]
> Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery keys for self-service, if necessary.
### Help desk recovery
If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.**