From a71cef22bb131236180df1afd2c1595ebed4d1f6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 9 Apr 2018 18:08:19 -0700 Subject: [PATCH] added FAQs to adds --- .../bitlocker/bitlocker-and-adds-faq.md | 8 ++++++++ .../bitlocker/bitlocker-key-management-faq.md | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index 892b96b9d0..cf6854a98b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -17,6 +17,14 @@ ms.date: 04/03/2018 - Windows 10 +## What type of information is stored in AD DS? + +Stored information | Description +-------------------|------------ +Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. +BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). +BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde. + ## What if BitLocker is enabled on a computer before the computer has joined the domain? If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index 6766506328..a7daabfc34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -16,6 +16,12 @@ ms.date: 04/03/2018 **Applies to** - Windows 10 +## How can I authenticate or unlock my removable data drive? + +You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde: + +Manage-bde -protectors -add e: -sid domain\username + ## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).