From 8f36e5b9ac9b7ccbc9ee016e5845b2f80beab2ad Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 25 Jul 2023 14:06:13 +0200 Subject: [PATCH] updates --- ...ve-encryption-tools-to-manage-bitlocker.md | 43 +++++++------------ ...-use-bitlocker-recovery-password-viewer.md | 3 +- .../data-protection/bitlocker/index.md | 23 +++------- .../data-protection/bitlocker/toc.yml | 2 +- 4 files changed, 25 insertions(+), 46 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 69c4f85d5e..cde89fc313 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -1,26 +1,17 @@ --- -title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker -description: This article for the IT professional describes how to use tools to manage BitLocker. +title: How to use the BitLocker drive encryption tools to manage BitLocker +description: Learn how to use tools to manage BitLocker. ms.collection: - - highpri - tier1 -ms.topic: conceptual -ms.date: 11/08/2022 +ms.topic: how-to +ms.date: 07/25/2023 --- -# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker +# How to use the BitLocker drive encryption tools to manage BitLocker -This article for the IT professional describes how to use tools to manage BitLocker. +BitLocker drive encryption tools include the command-line tools *manage-bde.exe*, *repair-bde.exe*, and the cmdlets for Windows PowerShell. -BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. - -Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. - -Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console. - -1. [Manage-bde](#manage-bde) -2. [Repair-bde](#repair-bde) -3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell) +The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. ## Manage-bde @@ -87,26 +78,24 @@ manage-bde.exe -protectors -add -pw C: manage-bde.exe -on C: ``` -## Repair-bde +## BitLocker Repair Tool Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly. -The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS. +The BitLocker Repair Tool (*repair-bde.exe*) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console. + +The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. The key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS. > [!TIP] -> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command: +> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume: > > `manage-bde.exe -KeyPackage` -> -> can be used to generate a key package for a volume. -The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true: +The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions: -- The drive has been encrypted using BitLocker Drive Encryption. - -- Windows doesn't start, or the BitLocker recovery console can't be started. - -- There isn't a backup copy of the data that is contained on the encrypted drive. +- The drive is encrypted using BitLocker Drive Encryption +- Windows doesn't start, or the BitLocker recovery console can't start +- There isn't a backup copy of the data that is contained on the encrypted drive > [!NOTE] > Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index e102f75cde..e550879cd4 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -3,7 +3,7 @@ title: How to use BitLocker Recovery Password Viewer description: Learn how to use the BitLocker Recovery Password Viewer tool. ms.collection: - tier1 -ms.topic: conceptual +ms.topic: how-to ms.date: 07/25/2023 --- @@ -43,4 +43,3 @@ The following procedures describe the most common tasks performed by using the B 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password** 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search** 1. Once the recovery password is located, you can use the previous procedure to copy it - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index dd9cbbca62..86e5b46f52 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -10,30 +10,19 @@ ms.date: 11/08/2022 # BitLocker overview -This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. +Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes. -BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. +BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. -BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline. -On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented. ## Practical applications -Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. - -There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker. - -- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. - - By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator. - -- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the -BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console. - -[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] +Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled. ## System requirements @@ -64,5 +53,7 @@ A partition subject to encryption can't be marked as an active partition. This r When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives. +[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] + ## Next steps diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 7d9cb16703..1fd7418979 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -19,7 +19,7 @@ items: href: bitlocker-management-for-enterprises.md - name: Configure BitLocker on Windows Server href: bitlocker-how-to-deploy-on-windows-server.md - - name: Use BitLocker Drive Encryption Tools to manage BitLocker + - name: Manage BitLocker with Drive Encryption Tools href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - name: Use BitLocker Recovery Password Viewer href: bitlocker-use-bitlocker-recovery-password-viewer.md