deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-10-10 12:55:46 -04:00
parent 58b743c95f
commit a0607033e0
3 changed files with 38 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/operating-system-security/data-protection/bitlocker/configure.md
View File

@ -20,7 +20,7 @@ The following table describes the options to configure BitLocker, depending on t
| *Microsoft Entra joined* | ✅ | ❌ | ✅ |
| *Microsoft Entra registered* | ✅ | ❌ | ❌ |
| *Microsoft Entra hybrid joined* | ✅ | ✅ | ✅ |
| *Active Directory joined devices* | ❌ | ✅ | ✅ |
| *Active Directory joined* | ❌ | ✅ | ✅ |
> [!NOTE]
> Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.

0
windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png → windows/security/operating-system-security/data-protection/bitlocker/images/recover-message-hint.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 69 KiB

51
windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md
View File

@ -278,36 +278,59 @@ During BitLocker recovery, Windows displays a custom recovery message and a few
:::row:::
:::column span="3":::
BitLocker policy settings allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. For more information, see [Configure preboot recovery message and URL](policy-settings.md?tabs=os#configure-preboot-recovery-message-and-url)
BitLocker policy settings allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/recovery-message-url.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL." lightbox="images/recovery-message-url.png":::
:::column-end:::
:::row-end:::
For more information, see [Configure preboot recovery message and URL](policy-settings.md?tabs=os#configure-preboot-recovery-message-and-url).
### BitLocker recovery key hints
BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen.](images/bl-password-hint2.png)
:::row:::
:::column span="3":::
BitLocker metadata includes information about when and where a BitLocker recovery key was saved. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key was saved. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/recover-message-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/recover-message-hint.png":::
:::column-end:::
:::row-end:::
> [!IMPORTANT]
> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
> It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft Account, Microsoft Entra ID or Active Directory backup.
There are rules governing which hint is shown during the recovery (in the order of processing):
1. Always display custom recovery message if it has been configured (using GPO or MDM).
1. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.`
1. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
1. Prioritize keys with successful backup over keys that have never been backed up.
1. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
1. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
1. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
1. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed.
1. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer.
1. Always display custom recovery message, if configured via policy settings
1. Always display generic hint: **For more information, go to https://aka.ms/recoverykeyfaq.**
1. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key
1. Prioritize keys with successful backup over keys that have never been backed up
1. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**
1. If a key has been printed and saved to file, display a combined hint **Look for a printout or a text file with the key**, instead of two separate hints
1. If multiple backups of the same type (remove vs. local) were done for the same recovery key, prioritize backup info with latest backup date
1. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, **Contact your organization's help desk**, is displayed
1. If two recovery keys are present on the disk, but only one was successfully backed up, the system asks for a key that was backed up, even if another key is newer
#### Example 1 (single recovery key with single backup)
:::row:::
:::column span="3":::
| Custom URL | Yes |
|----------------------------|-----|
| Saved to Microsoft Account | Yes |
| Saved to Azure AD | No |
| Saved to Active Directory | No |
| Printed | No |
| Saved to file | No |
**Result:** The hints for the Microsoft account and custom URL are displayed.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/rp-example1.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/rp-example1.png":::
:::column-end:::
:::row-end:::
| Custom URL | Yes |
|----------------------------|-----|
| Saved to Microsoft Account | Yes |