From 7c25707f554008254f6112943a29a73f28867abc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 20:03:59 +0530 Subject: [PATCH 01/14] Update-bl-rcvgdplan-4318240 --- .../bitlocker-recovery-guide-plan.md | 92 ++++++++++--------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 943135fa94..864f32d49a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -23,9 +23,9 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for IT professionals describes how to recover BitLocker keys from AD DS. +This topic describes how to recover BitLocker keys from AD DS. -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. +Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. @@ -35,15 +35,15 @@ This article does not detail how to configure AD DS to store the BitLocker reco BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: -- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain). +- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. +- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device immediately reboots and enters into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** group policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)) to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -60,22 +60,23 @@ The following list provides examples of specific events that will cause BitLocke - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. - Changes to the master boot record on the disk. - Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. -- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option makes the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. +- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This prevents the entry of enhanced PINs. +- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** results in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] - > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + > Some computers have BIOS settings that skip measurements to certain PCRs such as **PCR\[2\]**. Changing this setting in the BIOS causes BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. - Losing the USB flash drive containing the startup key when startup key authentication has been enabled. - Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. +- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group (TCG) standards for a client computer. For example, a non-compliant implementation records volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + **Question: Does it imply that another user or process should change this to a non-zero value?** - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. @@ -83,16 +84,17 @@ The following list provides examples of specific events that will cause BitLocke - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. > [!NOTE] -> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. +> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. -For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. +For planned scenarios, such as a known hardware or firmware upgrade, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. +**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** -If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. -Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. +Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery mode before the computer is given to a new user. ## Testing recovery @@ -101,14 +103,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer** 1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer** 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde. -ComputerName -forcerecovery ` > [!NOTE] @@ -136,20 +138,20 @@ When you determine your recovery process, you should: ### Self-recovery -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. ### Recovery password retrieval -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS, select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] -> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required. The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. @@ -167,37 +169,36 @@ You can use the name of the user's computer to locate the recovery password in A ### Verify the user's identity -You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. +You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user. ### Locate the recovery password in AD DS -Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. ### Multiple recovery passwords -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. -If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. +If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console. -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. ### Gather information to determine why recovery occurred -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). +Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). ### Give the user the recovery password -Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. ### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption -when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. +When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time the computer starts up. See: - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) @@ -210,20 +211,20 @@ While an administrator can remotely investigate the cause of recovery in some ca Review and answer the following questions for your organization: -1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. +To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. ### Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. -The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. +The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. > [!NOTE] > You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. @@ -240,9 +241,10 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. -3. You will use the new PIN the next time you unlock the drive. + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. +You will use the new PIN the next time you unlock the drive. +**Question: I am removing the bulleted number for the above phrase because it sounds more like a step result** ### Lost startup key @@ -250,26 +252,28 @@ If you have lost the USB flash drive that contains the startup key, then you mus **To prevent continued recovery due to a lost startup key** -1. Log on as an administrator to the computer that has the lost startup key. +1. Log on as an administrator to the computer that has its startup key lost. +**Question: Is the above rephrased version implying the intended meaning?** 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. +3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. ### Changes to boot files -This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +**Question: The marked instance of TPM above renders the sentence ambiguous. Need inputs on the same** ## BitLocker recovery screen -During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. +During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. From e9040e6411da18eaa5fcc7165ac40acbf5294974 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:20:40 +0530 Subject: [PATCH 02/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker-recovery-guide-plan.md | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 864f32d49a..d6fe5d24d0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -273,7 +273,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few ### Custom recovery message -BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. @@ -290,25 +290,25 @@ Example of customized recovery screen: ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. -There are rules governing which hint is shown during the recovery (in order of processing): +There are rules governing which hint is shown during the recovery (in the order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). 2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." -3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. +3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. 4. Prioritize keys with successful backup over keys that have never been backed up. 5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. -7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -321,7 +321,8 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | No | | Saved to file | No | -**Result:** The hint for the Microsoft Account and custom URL are displayed. +**Result:** The hints for the Microsoft account and custom URL are displayed. + ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) @@ -424,38 +425,38 @@ If the recovery methods discussed earlier in this document do not unlock the vol > [!NOTE] > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package is not saved, by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). ## Resetting recovery passwords -You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. +You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason. You can reset the recovery password in two ways: -- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use manage-bde**. You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. +- **Run a script**. You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. **To reset a recovery password using manage-bde** -1. Remove the previous recovery password +1. Remove the previous recovery password. ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` -2. Add the new recovery password +2. Add the new recovery password. ```powershell Manage-bde –protectors –add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS +4. Backup the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} @@ -466,6 +467,7 @@ You can reset the recovery password in two ways: **To run the sample recovery password script** 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. +**Question: The sample script seems missing**. 2. At the command prompt, type a command similar to the following: **cscript ResetPassword.vbs** @@ -474,7 +476,7 @@ You can reset the recovery password in two ways: > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. > [!NOTE] -> To manage a remote computer, you can specify the remote computer name rather than the local computer name. +> To manage a remote computer, you must specify the remote computer name rather than the local computer name. You can use the following sample script to create a VBScript file to reset the recovery passwords. @@ -553,10 +555,11 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): -- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. +- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. -The following sample script exports all previously-saved key packages from AD DS. +The following sample script exports all previously saved key packages from AD DS. +**Question: Sample script seems missing** **To run the sample key package retrieval script** From 5c6b8264b0c5e4a14ec0bcb6594c1abd920e2f76 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:23:40 +0530 Subject: [PATCH 03/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index d6fe5d24d0..b5795232b6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -360,7 +360,7 @@ There are rules governing which hint is shown during the recovery (in the order |----------------------|-----------------| | Saved to Microsoft Account | No | | Saved to Azure AD | No | -| Saved to Acive Directory | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | Yes | | Creation time | **1PM** | From 8d2ea4dd09ce8dab7ba60c776fc9d0d3a4e94113 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 13:03:16 +0530 Subject: [PATCH 04/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index db893c2f8b..4f1c187a4c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -92,7 +92,6 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. From c59c9d15aa893e4d8fa44b3d88ad675b1ee60086 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:39:36 +0530 Subject: [PATCH 05/14] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From f3accee9338e79a8c005145929334436cf389a7d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:44:29 +0530 Subject: [PATCH 06/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index ce14a9e593..dc77051862 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -279,7 +279,7 @@ Windows Recovery Environment (RE) can be used to recover access to a drive prote This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. -## Windows RE and BitLocker Device Encryption +## Windows RE and its usage in BitLocker Device Encryption Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. From 87448d4ead7a9a986c69db8b2ae433fd074e1727 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 14:36:33 +0530 Subject: [PATCH 07/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 54df9c5536..76cd8bab26 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -102,14 +102,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer:** -1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. +1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. +1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: @@ -150,7 +150,7 @@ If the user does not have a recovery password in a printout or on a USB flash dr - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] @@ -250,9 +250,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. + 1. Select and hold the drive and then select **Change PIN** + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. 3. You will use the new PIN the next time you unlock the drive. ### Lost startup key @@ -263,7 +263,7 @@ If you have lost the USB flash drive that contains the startup key, then you mus 1. Log on as an administrator to the computer that has its startup key lost. 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. +3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**. ### Changes to boot files From 473dda6385f162cc977e5831789eb83bb3ffe88f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:11:40 +0530 Subject: [PATCH 08/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 7b225fb595..27891404e0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -24,7 +24,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and later -This topic describes how to recover BitLocker keys from AD DS. +This article describes how to recover BitLocker keys from AD DS. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. From f72780a0775f6008e8eaac6f42a95858f9f3c562 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:50:45 +0530 Subject: [PATCH 09/14] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 27891404e0..34a2bde95f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -274,15 +274,6 @@ This error occurs if you updated the firmware. As a best practice, you should su Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. -### Changes to boot files - -This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. - - -## Windows RE and its usage in BitLocker Device Encryption - -Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. - Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. From 926c0e071b13ecee97ae14116a51347f7fba6c71 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:55:05 +0530 Subject: [PATCH 10/14] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From d330f0e687bf42a34d049e31dedb6ab8493eb8c2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:13:46 +0530 Subject: [PATCH 11/14] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 334dcb3e62..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,8 +22,8 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. +For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From d75c01535795957c1098d75a6cc2c6c7a9f478ce Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:46:14 -0600 Subject: [PATCH 12/14] Update bitlocker-countermeasures.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/cfaa7d44-e8a7-4281-924f-33dcd42ad82f#CORRECTNESS Line 85: a standard sign in > a standard sign-in Line 87: the user enter > the user enters Line 133: physically-present > physically present (Suggestion: An attacker who is physically present...) --- .../bitlocker/bitlocker-countermeasures.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 5270498276..68889e3dcd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -82,9 +82,9 @@ This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. -- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. +- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. In the following group policy example, TPM + PIN is required to unlock an operating system drive: @@ -130,7 +130,7 @@ This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. +A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. This is the default configuration. From c013cf51314df99340864ce636b47f32014b08a2 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:48:11 -0600 Subject: [PATCH 13/14] Update bitlocker-recovery-guide-plan.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/2b6b5714-3222-4576-ac40-82f45f656a17#CORRECTNESS Line 475: Backup >Back up --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 34a2bde95f..2d622dbe34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -472,7 +472,7 @@ You can reset the recovery password in two ways: ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS. +4. Back up the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} From 1cbedb5204a84c6dabf258fbeed40c4e2785fbeb Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:51:56 -0600 Subject: [PATCH 14/14] Update prepare-your-organization-for-bitlocker-planning-and-policies.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/abe1d71a-f2e5-4c62-bb68-030266f1f300#CORRECTNESS Line 78: you're > you'll Line 151: Space Only, only > Space Only, just Line 186: - Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. > - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. --- ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c4962bf5cd..c3e1167342 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -75,7 +75,7 @@ On computers that don't have a TPM version 1.2 or higher, you can still use Bit **Will you support computers without TPM version 1.2 or higher?** -Determine if you're support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine if you'll support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** @@ -148,7 +148,7 @@ The BitLocker Setup wizard provides administrators the ability to choose the Use Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. -With Used Disk Space Only, only the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.