From 85d642ee4e774906a1006cbfc6c569af13397bfb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:30:17 -0400 Subject: [PATCH] recovery guide --- .../recovery-guide-password-reset.md | 46 +++++ .../bitlocker/recovery-guide-process.md | 181 ++++++++++++++++ .../bitlocker/recovery-guide-repair-tool.md | 112 ++++++++++ .../bitlocker/recovery-guide-screen.md | 141 ------------- .../bitlocker/recovery-guide.md | 193 +----------------- .../data-protection/bitlocker/toc.yml | 6 + 6 files changed, 346 insertions(+), 333 deletions(-) create mode 100644 windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md create mode 100644 windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-process.md create mode 100644 windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md new file mode 100644 index 0000000000..885e4211f1 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-password-reset.md @@ -0,0 +1,46 @@ +--- +title: Reset recovery password +description: Learn how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). +ms.collection: + - highpri + - tier1 +ms.topic: how-to +ms.date: 09/29/2023 +--- + +# Reset recovery password + +It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason. + +The recovery password and be invalidated and reset in two ways: + +- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. + +### Resetting a recovery password using `manage-bde.exe` + +1. Remove the previous recovery password. + + ```cmd + `manage-bde.exe` -protectors -delete C: -type RecoveryPassword + ``` + +2. Add the new recovery password. + + ```cmd + `manage-bde.exe` -protectors -add C: -RecoveryPassword + ``` + +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. + + ```cmd + `manage-bde.exe` -protectors -get C: -Type RecoveryPassword + ``` + +4. Back up the new recovery password to AD DS. + + ```cmd + `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} + ``` + + > [!WARNING] + > The braces `{}` must be included in the ID string. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-process.md new file mode 100644 index 0000000000..800a2e0d06 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-process.md @@ -0,0 +1,181 @@ +--- +title: BitLocker recovery process +description: Learn how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). +ms.collection: + - highpri + - tier1 +ms.topic: how-to +ms.date: 09/29/2023 +--- + +# BitLocker recovery process + +When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: + +- how does the organization handle lost Windows passwords? +- how does the organization perform smart card PIN resets? + +After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization. + +When the recovery process is determined: + +- Become familiar with how a recovery password can be retrieved. See: + - [Self-recovery](#self-recovery) + - [Recovery password retrieval](#recovery-password-retrieval) +- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: + - [Post-recovery analysis](#post-recovery-analysis) + +## Self-recovery + +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. + +## Recovery password retrieval + +If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. + +This method requires to enable the policy settings: + - [Choose how BitLocker-protected operating system drives can be recovered](policy-settings.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) + - [Choose how BitLocker-protected fixed drives can be recovered](policy-settings.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) + - [Choose how BitLocker-protected removable drives can be recovered](policy-settings.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered) + +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD +DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. + +> [!NOTE] +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required. + +The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. + +The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. + +- [Record the name of the user's computer](#record-the-name-of-the-users-computer) +- [Verify the user's identity](#verify-the-users-identity) +- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds) +- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred) +- [Give the user the recovery password](#give-the-user-the-recovery-password) + +### Record the name of the user's computer + +The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer. + +### Verify the user's identity + +The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user. + +### Locate the recovery password in AD DS + +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest. + +### Multiple recovery passwords + +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. + +To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. + +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. + +### Gather information to determine why recovery occurred + +Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis). + +### Give the user the recovery password + +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. + +> [!NOTE] +> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. + +### Post-recovery analysis + +When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. + +If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see: + +- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery) +- [Resolve the root cause](#resolve-the-root-cause) + +### Determine the root cause of the recovery + +If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. + +While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. + +Review and answer the following questions for the organization: + +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? + +2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? + +3. If TPM mode was in effect, was recovery caused by a boot file change? + +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? + +5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? + +6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? + +To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode: + +```cmd +manage-bde.exe -status +``` + +Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. + +### Resolve the root cause + +After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup. + +The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. + +> [!NOTE] +> BitLocker validation profile reset can be performed by suspending and resuming BitLocker. + +- [Unknown PIN](#unknown-pin) +- [Lost startup key](#lost-startup-key) +- [Changes to boot files](#changes-to-boot-files) + +## Unknown PIN + +If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. + +### To prevent continued recovery due to an unknown PIN + +1. Unlock the computer using the recovery password. + +2. Reset the PIN: + + 1. Select and hold the drive and then select **Change PIN** + + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time. + + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. + +3. The new PIN can be used the next time the drive needs to be unlocked. + +## Lost startup key + +If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created. + +### To prevent continued recovery due to a lost startup key + +1. Sign in as an administrator to the computer that has its startup key lost. + +2. Open Manage BitLocker. + +3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**. + +## Changes to boot files + +This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time. + +## Windows RE and device encryption + +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [device encryption](index.md#device-encryption). If a device is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. + +Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. + +The BitLocker recovery screen in Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. + +To activate the narrator during BitLocker recovery in Windows RE, press WIN+CTRL+ENTER. To activate the on-screen keyboard, select a text input control. + diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md new file mode 100644 index 0000000000..113803d374 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md @@ -0,0 +1,112 @@ +--- +title: Repair tool +description: Learn how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS). +ms.collection: + - highpri + - tier1 +ms.topic: how-to +ms.date: 09/29/2023 +--- + +# Repair tool + +Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. + +### BitLocker key package + +If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password. + +> [!NOTE] +> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. + +The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieve-the-bitlocker-key-package). + +## Retrieve the BitLocker key package + +Two methods can be used to retrieve the key package as described in Using Additional Recovery Information: + +Export a previously saved key package from AD DS. Read access is required to BitLocker recovery passwords that are stored in AD DS. + +Export a new key package from an unlocked, BitLocker-protected volume. Local administrator access to the working volume is required before any damage occurred to the volume. + + strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword") + strKeyPackage = objFveInfo.Get("msFVE-KeyPackage") + +### Repair tool + +The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier + +> [!TIP] +> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume: +> +> `manage-bde.exe -KeyPackage` + +The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions: + +- The drive is encrypted using BitLocker Drive Encryption +- Windows doesn't start, or the BitLocker recovery console can't start +- There isn't a backup copy of the data that is contained on the encrypted drive + +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. + +The following limitations exist for Repair-bde: + +- it can't repair a drive that failed during the encryption or decryption process +- it assumes that if the drive has any encryption, then the drive is fully encrypted + +For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). + + + +## Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device + +``` PowerShell +function Get-EntraBitLockerKeys{ + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")] + [string]$DeviceName + ) + $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId + if ($DeviceID){ + $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id + if ($keyIds) { + Write-Host -ForegroundColor Yellow "Device name: $devicename" + foreach ($keyId in $keyIds) { + $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key + Write-Host -ForegroundColor White " Key id: $keyid" + Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" + } + } else { + Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName" + } + } else { + Write-Host -ForegroundColor Red "Device $DeviceName not found" + } +} + +Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force +Import-Module Microsoft.Graph.Identity.SignIns +Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome +``` + +### Output example + +``` PowerShell +PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI +Device name: DESKTOP-53O32QI + Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4 + BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579 + Key id: 045219ec-a53b-41ae-b310-08ec883aaedd + BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773 + Key id: 69622eba-9068-449d-bc94-53e375cf5d58 + BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236 + Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec + BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893 + Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4 + BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 +``` \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md index b20986ac2f..92b891f80d 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-screen.md @@ -160,144 +160,3 @@ There are rules governing which hint is shown during the recovery (in the order **Result:** The hint for the most recent key is displayed. ![Example 5 of customized BitLocker recovery screen.](images/rp-example5.png) - -## Using additional recovery information - -Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. - -### BitLocker key package - -If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password. - -> [!NOTE] -> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. - -The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieve-the-bitlocker-key-package). - -## Resetting recovery passwords - -It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason. - -The recovery password and be invalidated and reset in two ways: - -- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. - -### Resetting a recovery password using `manage-bde.exe` - -1. Remove the previous recovery password. - - ```cmd - `manage-bde.exe` -protectors -delete C: -type RecoveryPassword - ``` - -2. Add the new recovery password. - - ```cmd - `manage-bde.exe` -protectors -add C: -RecoveryPassword - ``` - -3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. - - ```cmd - `manage-bde.exe` -protectors -get C: -Type RecoveryPassword - ``` - -4. Back up the new recovery password to AD DS. - - ```cmd - `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} - ``` - - > [!WARNING] - > The braces `{}` must be included in the ID string. - -## Retrieve the BitLocker key package - -Two methods can be used to retrieve the key package as described in Using Additional Recovery Information: - -Export a previously saved key package from AD DS. Read access is required to BitLocker recovery passwords that are stored in AD DS. - -Export a new key package from an unlocked, BitLocker-protected volume. Local administrator access to the working volume is required before any damage occurred to the volume. - - strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword") - strKeyPackage = objFveInfo.Get("msFVE-KeyPackage") - -### Example: retrieve Bitlocker recovery keys for a Microsoft Entra joined device - -``` PowerShell -function Get-EntraBitLockerKeys{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true, HelpMessage = "Device name to retrieve the BitLocker keys from Microsoft Entra ID")] - [string]$DeviceName - ) - $DeviceID = (Get-MGDevice -filter "displayName eq '$DeviceName'").DeviceId - if ($DeviceID){ - $KeyIds = (Get-MgInformationProtectionBitlockerRecoveryKey -Filter "deviceId eq '$DeviceId'").Id - if ($keyIds) { - Write-Host -ForegroundColor Yellow "Device name: $devicename" - foreach ($keyId in $keyIds) { - $recoveryKey = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $keyId -Select "key").key - Write-Host -ForegroundColor White " Key id: $keyid" - Write-Host -ForegroundColor Cyan " BitLocker recovery key: $recoveryKey" - } - } else { - Write-Host -ForegroundColor Red "No BitLocker recovery keys found for device $DeviceName" - } - } else { - Write-Host -ForegroundColor Red "Device $DeviceName not found" - } -} - -Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force -Import-Module Microsoft.Graph.Identity.SignIns -Connect-MgGraph -Scopes 'BitlockerKey.Read.All' -NoWelcome -``` - -### Output example - -``` PowerShell -PS C:\> Get-EntraBitLockerKeys -DeviceName DESKTOP-53O32QI -Device name: DESKTOP-53O32QI - Key id: 4290b6c0-b17a-497a-8552-272cc30e80d4 - BitLocker recovery key: 496298-461032-321464-595518-463221-173943-033616-139579 - Key id: 045219ec-a53b-41ae-b310-08ec883aaedd - BitLocker recovery key: 158422-038236-492536-574783-256300-205084-114356-069773 - Key id: 69622eba-9068-449d-bc94-53e375cf5d58 - BitLocker recovery key: 117612-564564-392623-622424-499697-461120-039083-522236 - Key id: 96723a5a-1cf7-4fd6-8142-1c6603195aec - BitLocker recovery key: 230428-214104-446864-180785-025949-078650-715165-409893 - Key id: 6a7e153f-d5e9-4547-96d6-174ff0d0bdb4 - BitLocker recovery key: 241846-437393-298925-499389-123255-123640-709808-330682 -``` - -### Repair tool - -The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier - -> [!TIP] -> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume: -> -> `manage-bde.exe -KeyPackage` - -The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions: - -- The drive is encrypted using BitLocker Drive Encryption -- Windows doesn't start, or the BitLocker recovery console can't start -- There isn't a backup copy of the data that is contained on the encrypted drive - -> [!NOTE] -> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. - -The following limitations exist for Repair-bde: - -- it can't repair a drive that failed during the encryption or decryption process -- it assumes that if the drive has any encryption, then the drive is fully encrypted - -For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). - -> - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md index 1ec7eff4e3..cb816247e3 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md @@ -25,7 +25,7 @@ BitLocker recovery is the process by which access to a BitLocker-protected drive - [Choose how BitLocker-protected fixed drives can be recovered](policy-settings.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) - [Choose how BitLocker-protected removable drives can be recovered](policy-settings.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered) -### What causes BitLocker recovery? +## What causes BitLocker recovery? The following list provides some examples of specific events that causes BitLocker to enter recovery mode when attempting to start the operating system drive: @@ -79,194 +79,3 @@ If software maintenance requires the computer to be restarted and two-factor aut Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user. -## Test the recovery process - -Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation. - -To force a recovery for the local computer, open an elevated command prompt and enter the following command: - -```cmd -manage-bde.exe -forcerecovery -``` - -To force a recovery for a remote computer, open an elevated command prompt and enter the following command: - -```cmd -manage-bde.exe -ComputerName -forcerecovery -``` - -> [!NOTE] -> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices, the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx). - -## Plan the recovery process - -When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: - -- how does the organization handle lost Windows passwords? -- how does the organization perform smart card PIN resets? - -After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization. - -When the recovery process is determined: - -- Become familiar with how a recovery password can be retrieved. See: - - [Self-recovery](#self-recovery) - - [Recovery password retrieval](#recovery-password-retrieval) -- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: - - [Post-recovery analysis](#post-recovery-analysis) - -### Self-recovery - -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. - -### Recovery password retrieval - -If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. - -- **Choose how BitLocker-protected operating system drives can be recovered** - -- **Choose how BitLocker-protected fixed drives can be recovered** - -- **Choose how BitLocker-protected removable drives can be recovered** - -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD -DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. - -> [!NOTE] -> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required. - -The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. - -The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. - -- [Record the name of the user's computer](#record-the-name-of-the-users-computer) -- [Verify the user's identity](#verify-the-users-identity) -- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds) -- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred) -- [Give the user the recovery password](#give-the-user-the-recovery-password) - -### Record the name of the user's computer - -The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer. - -### Verify the user's identity - -The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user. - -### Locate the recovery password in AD DS - -Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest. - -### Multiple recovery passwords - -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. - -To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. - -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. - -### Gather information to determine why recovery occurred - -Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis). - -### Give the user the recovery password - -Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password. - -> [!NOTE] -> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. - -### Post-recovery analysis - -When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. - -If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see: - -- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery) -- [Resolve the root cause](#resolve-the-root-cause) - -### Determine the root cause of the recovery - -If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. - -While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. - -Review and answer the following questions for the organization: - -1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? - -2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? - -3. If TPM mode was in effect, was recovery caused by a boot file change? - -4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? - -5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? - -6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? - -To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode: - -```cmd -manage-bde.exe -status -``` - -Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. - -### Resolve the root cause - -After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup. - -The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. - -> [!NOTE] -> BitLocker validation profile reset can be performed by suspending and resuming BitLocker. - -- [Unknown PIN](#unknown-pin) -- [Lost startup key](#lost-startup-key) -- [Changes to boot files](#changes-to-boot-files) - -### Unknown PIN - -If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. - -#### To prevent continued recovery due to an unknown PIN - -1. Unlock the computer using the recovery password. - -2. Reset the PIN: - - 1. Select and hold the drive and then select **Change PIN** - - 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time. - - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. - -3. The new PIN can be used the next time the drive needs to be unlocked. - -### Lost startup key - -If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created. - -#### To prevent continued recovery due to a lost startup key - -1. Sign in as an administrator to the computer that has its startup key lost. - -2. Open Manage BitLocker. - -3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**. - -### Changes to boot files - -This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time. - -## Windows RE and device encryption - -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [device encryption](index.md#device-encryption). If a device is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. Devices that include firmware to support specific TPM measurements for *PCR 7*, the TPM can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives. - -Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally. - -The BitLocker recovery screen in Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. - -To activate the narrator during BitLocker recovery in Windows RE, press WIN+CTRL+ENTER. To activate the on-screen keyboard, select a text input control. - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 116bc6f8bc..3315c44c71 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -23,8 +23,14 @@ items: items: - name: Overview of BitLocker recovery methods href: recovery-guide.md + - name: BitLocker recovery process + href: recovery-guide-process.md - name: BitLocker recovery screen href: recovery-guide-screen.md + - name: BitLocker repair tool + href: recovery-guide-repair-tool.md + - name: BitLocker password reset + href: recovery-guide-password-reset.md - name: BitLocker Recovery Password Viewer href: recovery-password-viewer.md - name: Reference