From 0e62554ad36a0bf8cf9e857049be5aceafc81d37 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 16:47:37 +0530 Subject: [PATCH 01/65] Update-bl-ovw-4318240 --- .../bitlocker/bitlocker-overview.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 131a256f82..8dff04be1f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -29,9 +29,9 @@ This topic provides a high-level overview of BitLocker, including a list of syst BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a trusted platform module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. -On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. @@ -39,13 +39,13 @@ In addition to the TPM, BitLocker offers the option to lock the normal startup p Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. -There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker. +There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker. - **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the -BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. +BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. ## New and changed functionality @@ -55,9 +55,9 @@ To find out what's new in BitLocker for Windows 10, such as support for the XTS BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a trusted platform module (TPM), the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. -A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a trusted computing group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. @@ -65,37 +65,37 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/). > [!NOTE] -> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. +> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. -- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. +- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. -When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. +When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker. -When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. +When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. ## In this section | Topic | Description | | - | - | -| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| -| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | -| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | -| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.| -| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. | -| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| -| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. | -| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. | -| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| -| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. | +| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | -| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core | +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| +| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | From 7c25707f554008254f6112943a29a73f28867abc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 20:03:59 +0530 Subject: [PATCH 02/65] Update-bl-rcvgdplan-4318240 --- .../bitlocker-recovery-guide-plan.md | 92 ++++++++++--------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 943135fa94..864f32d49a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -23,9 +23,9 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for IT professionals describes how to recover BitLocker keys from AD DS. +This topic describes how to recover BitLocker keys from AD DS. -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. +Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. @@ -35,15 +35,15 @@ This article does not detail how to configure AD DS to store the BitLocker reco BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: -- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain). +- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. +- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device immediately reboots and enters into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** group policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)) to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -60,22 +60,23 @@ The following list provides examples of specific events that will cause BitLocke - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. - Changes to the master boot record on the disk. - Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. -- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option makes the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. +- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This prevents the entry of enhanced PINs. +- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** results in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] - > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + > Some computers have BIOS settings that skip measurements to certain PCRs such as **PCR\[2\]**. Changing this setting in the BIOS causes BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. - Losing the USB flash drive containing the startup key when startup key authentication has been enabled. - Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. +- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group (TCG) standards for a client computer. For example, a non-compliant implementation records volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + **Question: Does it imply that another user or process should change this to a non-zero value?** - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. @@ -83,16 +84,17 @@ The following list provides examples of specific events that will cause BitLocke - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. > [!NOTE] -> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. +> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. -For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. +For planned scenarios, such as a known hardware or firmware upgrade, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. +**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** -If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. -Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. +Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery mode before the computer is given to a new user. ## Testing recovery @@ -101,14 +103,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer** 1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer** 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde. -ComputerName -forcerecovery ` > [!NOTE] @@ -136,20 +138,20 @@ When you determine your recovery process, you should: ### Self-recovery -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. ### Recovery password retrieval -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS, select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] -> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required. The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. @@ -167,37 +169,36 @@ You can use the name of the user's computer to locate the recovery password in A ### Verify the user's identity -You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. +You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user. ### Locate the recovery password in AD DS -Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. ### Multiple recovery passwords -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. -If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. +If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console. -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. ### Gather information to determine why recovery occurred -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). +Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). ### Give the user the recovery password -Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. ### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption -when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. +When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time the computer starts up. See: - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) @@ -210,20 +211,20 @@ While an administrator can remotely investigate the cause of recovery in some ca Review and answer the following questions for your organization: -1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. +To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. ### Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. -The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. +The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. > [!NOTE] > You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. @@ -240,9 +241,10 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. -3. You will use the new PIN the next time you unlock the drive. + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. +You will use the new PIN the next time you unlock the drive. +**Question: I am removing the bulleted number for the above phrase because it sounds more like a step result** ### Lost startup key @@ -250,26 +252,28 @@ If you have lost the USB flash drive that contains the startup key, then you mus **To prevent continued recovery due to a lost startup key** -1. Log on as an administrator to the computer that has the lost startup key. +1. Log on as an administrator to the computer that has its startup key lost. +**Question: Is the above rephrased version implying the intended meaning?** 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. +3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. ### Changes to boot files -This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +**Question: The marked instance of TPM above renders the sentence ambiguous. Need inputs on the same** ## BitLocker recovery screen -During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. +During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. From e9040e6411da18eaa5fcc7165ac40acbf5294974 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:20:40 +0530 Subject: [PATCH 03/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker-recovery-guide-plan.md | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 864f32d49a..d6fe5d24d0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -273,7 +273,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few ### Custom recovery message -BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. @@ -290,25 +290,25 @@ Example of customized recovery screen: ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. -There are rules governing which hint is shown during the recovery (in order of processing): +There are rules governing which hint is shown during the recovery (in the order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). 2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." -3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. +3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. 4. Prioritize keys with successful backup over keys that have never been backed up. 5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. -7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -321,7 +321,8 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | No | | Saved to file | No | -**Result:** The hint for the Microsoft Account and custom URL are displayed. +**Result:** The hints for the Microsoft account and custom URL are displayed. + ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) @@ -424,38 +425,38 @@ If the recovery methods discussed earlier in this document do not unlock the vol > [!NOTE] > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package is not saved, by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). ## Resetting recovery passwords -You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. +You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason. You can reset the recovery password in two ways: -- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use manage-bde**. You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. +- **Run a script**. You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. **To reset a recovery password using manage-bde** -1. Remove the previous recovery password +1. Remove the previous recovery password. ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` -2. Add the new recovery password +2. Add the new recovery password. ```powershell Manage-bde –protectors –add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS +4. Backup the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} @@ -466,6 +467,7 @@ You can reset the recovery password in two ways: **To run the sample recovery password script** 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. +**Question: The sample script seems missing**. 2. At the command prompt, type a command similar to the following: **cscript ResetPassword.vbs** @@ -474,7 +476,7 @@ You can reset the recovery password in two ways: > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. > [!NOTE] -> To manage a remote computer, you can specify the remote computer name rather than the local computer name. +> To manage a remote computer, you must specify the remote computer name rather than the local computer name. You can use the following sample script to create a VBScript file to reset the recovery passwords. @@ -553,10 +555,11 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): -- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. +- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. -The following sample script exports all previously-saved key packages from AD DS. +The following sample script exports all previously saved key packages from AD DS. +**Question: Sample script seems missing** **To run the sample key package retrieval script** From 5c6b8264b0c5e4a14ec0bcb6594c1abd920e2f76 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:23:40 +0530 Subject: [PATCH 04/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index d6fe5d24d0..b5795232b6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -360,7 +360,7 @@ There are rules governing which hint is shown during the recovery (in the order |----------------------|-----------------| | Saved to Microsoft Account | No | | Saved to Azure AD | No | -| Saved to Acive Directory | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | Yes | | Creation time | **1PM** | From 2b3d41e0c5945192efc7b208776f58307a6801d6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Sep 2020 19:10:56 +0530 Subject: [PATCH 05/65] Update prep-bl-policies-4457208 --- ...ion-for-bitlocker-planning-and-policies.md | 76 ++++++++++--------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index baa25d7cf6..d42faca138 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -24,9 +24,9 @@ ms.custom: bitlocker - Windows 10 -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic explains how to plan your BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. +When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. ## Audit your environment @@ -36,7 +36,7 @@ Use the following questions to help you document your organization's current dis 1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? 2. What policies exist to control recovery password and recovery key storage? -3. What are the policies for validating the identity of users that need to perform BitLocker recovery? +3. What are the policies for validating the identity of users who need to perform BitLocker recovery? 4. What policies exist to control who in the organization has access to recovery data? 5. What policies exist to control computer decommissioning or retirement? @@ -51,17 +51,18 @@ The trusted platform module (TPM) is a hardware component installed in many newe In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. -On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. +On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors | Key protector | Description | | - | - | -| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.| +| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| +**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type** +| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| ### BitLocker authentication methods @@ -69,24 +70,25 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi | Authentication method | Requires user interaction | Description | | - | - | - | | TPM only| No| TPM validates early boot components.| -| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | | TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| | Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.| -**Will you support computers without TPM version 1.2 or higher?** +**Will you support computers without TPM 1.2 or higher versions?** -Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. +Determine whether you will support computers that do not have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** -The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. +The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. +**Question: Does reboot unattended imply reboot automatically?** However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. **What areas of your organization need a more secure level of data protection?** -If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. +If there are areas of your organization in which user systems with highly sensitive data are found, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock feature to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. **What multifactor authentication method does your organization prefer?** @@ -94,23 +96,23 @@ The protection differences provided by multifactor authentication methods cannot ## TPM hardware configurations -In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. +In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. ### TPM 1.2 states and initialization -For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM. +For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM that is then brought to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM. ### Endorsement keys -For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. +For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker forces the TPM to generate one automatically as part of BitLocker setup. -An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. +An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). ## Non-TPM hardware configurations -Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. +Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker-protected using a startup password, and PCs without a TPM can use a startup key. Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: @@ -118,16 +120,16 @@ Use the following questions to identify issues that might affect your deployment - Do you have budget for USB flash drives for each of these computers? - Do your existing non-TPM devices support USB devices at boot time? -Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. +Test your individual hardware platforms with the **BitLocker system check** option while you are enabling BitLocker. The system check ensures that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. ## Disk configuration considerations To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: -- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system -- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size +- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system. +- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. -Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption. +Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker. @@ -135,29 +137,29 @@ Windows RE can also be used from boot media other than the local hard disk. If y ## BitLocker provisioning -In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. +In Windows Vista and Windows 7, BitLocker was provisioned post-installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires the computer to have a TPM. -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the it before the drive is considered fully protected. Administrators can use the Control Panel options, manage-bde tool or WMI APIs to add an appropriate key protector, and the volume status will be updated. -When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status. +When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status. -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. ## Used Disk Space Only encryption -The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. +The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption. Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption. -Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive. +Used Disk Space Only means that only the portion of the drive that contains data is encrypted, and that the unused space remains unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method on data being added to the drive, the portion of the drive used is encrypted; thus, there is never unencrypted data stored on the drive. -Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. +Full drive encryption means that the entire drive is encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and that may contain data remnants from their previous use. ## Active Directory Domain Services considerations -BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information: +BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered. +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). @@ -169,28 +171,28 @@ The following recovery data is saved for each computer object: - **Key package data** - With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. + With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. ## FIPS support for recovery password protector -Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. +Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLocker to be fully functional in FIPS mode. > [!NOTE] -> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. +> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249). But on computers running these supported systems with BitLocker enabled: -- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. +- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. -- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. +- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**. +- When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. -The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not. +The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not. -However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead. +However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; therefore, recovery keys should be used, instead. ## More information From 9f8bee674ba7a9785d7840b5f92aa9a1884b124b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Sep 2020 19:17:31 +0530 Subject: [PATCH 06/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index d42faca138..f523d4f8af 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -127,7 +127,7 @@ Test your individual hardware platforms with the **BitLocker system check** opti To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system. -- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. +- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. From 31c849116414ce3f6ddeb27224078d1998bd9dda Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Sep 2020 19:10:34 +0530 Subject: [PATCH 07/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 79 +++++++++---------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ac7c00f8b6..2dc14bd0e6 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,30 +23,29 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic for IT pros describes how to protect CSVs and SANs with BitLocker. +This topic describes the procedure to protect CSVs and SANs by using BitLocker. -BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes -### Using BitLocker with Clustered Volumes +### Using BitLocker with clustered volumes -BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on -BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. ->**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. +>**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key @@ -57,14 +56,14 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 4. Registry-based auto-unlock key ->**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly. +>**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. -2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. +2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. ```powershell @@ -77,16 +76,16 @@ BitLocker encryption is available for disks before or after addition to a cluste Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -110,9 +109,9 @@ When the cluster service owns a disk resource already, it needs to be set into m ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. -6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: +6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource @@ -120,44 +119,44 @@ When the cluster service owns a disk resource already, it needs to be set into m 7. Repeat the preceding steps for each disk in the cluster. -### Adding BitLocker encrypted volumes to a cluster using manage-bde +### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: -1. Verify the BitLocker Drive Encryption feature is installed on the computer. +1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example): - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` - 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue. + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. -4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered +4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered it can also be enabled for CSV. + - Once the disk is clustered, it is enabled for CSV. -5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. +5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. -6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". -CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. ```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` -### Physical Disk Resources +### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. @@ -262,17 +261,17 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. -- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. -- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode. -- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance. -- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode. +- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. +- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. +- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. +- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. From 5e544be8a97edcdf6bbc23c0d198a06cb809508c Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 5 Oct 2020 17:41:54 +0530 Subject: [PATCH 08/65] Reviewed protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md (#3918) --- ...nd-storage-area-networks-with-bitlocker.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 2dc14bd0e6..acb4171785 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect CSVs and SANs by using BitLocker. +This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. @@ -31,36 +31,34 @@ BitLocker protects both physical disk resources and cluster shared volumes versi ### Using BitLocker with clustered volumes -Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key -3. ADAccountOrGroup protector - - 1. Service context protector - 2. User protector - +3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require to suspend the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. @@ -69,21 +67,19 @@ BitLocker encryption is available for disks before or after addition to a cluste ```powershell Get-Cluster ``` - 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure a **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -91,19 +87,16 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" ``` - 3. Put the physical disk resource into maintenance mode using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` - 4. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` - 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell @@ -116,7 +109,6 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` - 7. Repeat the preceding steps for each disk in the cluster. ### Adding BitLocker-encrypted volumes to a cluster using manage-bde @@ -268,7 +260,7 @@ In the case where a physical disk resource experiences a failover event during c ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From a2f677246e1803579bc003986e59b380c806334f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 6 Oct 2020 10:51:14 +0530 Subject: [PATCH 09/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 8dff04be1f..458f0a20c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -29,7 +29,7 @@ This topic provides a high-level overview of BitLocker, including a list of syst BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the maximum protection when used with a trusted platform module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. @@ -55,9 +55,9 @@ To find out what's new in BitLocker for Windows 10, such as support for the XTS BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a trusted platform module (TPM), the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. -A computer with a TPM must also have a trusted computing group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. From 00bb28ce0573afef9496ea6c6e7776ce4794de01 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 9 Oct 2020 18:04:42 +0530 Subject: [PATCH 10/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..180cf50eeb 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,7 +54,6 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors - | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| From ca6095f38e463d44bc5c07ecaf5e279ae4f32e94 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 9 Oct 2020 18:19:16 +0530 Subject: [PATCH 11/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 180cf50eeb..f523d4f8af 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,6 +54,7 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors + | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| From 74ad1a5f45a5990fc03a657f8686111ebc28ce76 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 12 Oct 2020 14:08:03 +0530 Subject: [PATCH 12/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..55ea45f733 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -55,7 +55,7 @@ On computers that do not have TPM 1.2 or higher versions, you can still use BitL ### BitLocker key protectors -| Key protector | Description | +|**Key protector** | **Description** | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| From b517200777225f3183aea2fa84eaad31bfd957df Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 12 Oct 2020 14:22:16 +0530 Subject: [PATCH 13/65] Update prepare-your-organization Corrected the suggestion for PR3770 --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..fc7c0430c3 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,14 +54,12 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors - | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type** | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| From 8d2ea4dd09ce8dab7ba60c776fc9d0d3a4e94113 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 13:03:16 +0530 Subject: [PATCH 14/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index db893c2f8b..4f1c187a4c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -92,7 +92,6 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. From 0c00e7a77e799755f664d7ad3b440faede956526 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 15:33:06 +0530 Subject: [PATCH 15/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...-your-organization-for-bitlocker-planning-and-policies.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index fc7c0430c3..02a573b441 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -80,7 +80,6 @@ Determine whether you will support computers that do not have a TPM 1.2 or highe **What areas of your organization need a baseline level of data protection?** The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. -**Question: Does reboot unattended imply reboot automatically?** However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. @@ -141,7 +140,7 @@ To check the BitLocker status of a particular volume, administrators can look at When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status. -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. ## Used Disk Space Only encryption @@ -184,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**. +- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From 7bced2ce10c3a170e5e17cdc29eec29491494ad1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 11:54:40 +0530 Subject: [PATCH 16/65] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From c59c9d15aa893e4d8fa44b3d88ad675b1ee60086 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:39:36 +0530 Subject: [PATCH 17/65] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From f3accee9338e79a8c005145929334436cf389a7d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:44:29 +0530 Subject: [PATCH 18/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index ce14a9e593..dc77051862 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -279,7 +279,7 @@ Windows Recovery Environment (RE) can be used to recover access to a drive prote This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. -## Windows RE and BitLocker Device Encryption +## Windows RE and its usage in BitLocker Device Encryption Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. From 3b62934480fff611abf5d9867a5ec8f8ea325a3a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:17:28 +0530 Subject: [PATCH 19/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 983ef48df9..32acbff95e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -79,7 +79,7 @@ BitLocker encryption is available for disks before or after addition to a cluste ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -113,7 +113,7 @@ When the cluster service owns a disk resource already, the disk resource needs t ### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: 1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. @@ -149,11 +149,11 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. From c8550e5e36f3f62abd8145f3cf6313bc0df9fe4c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:23:00 +0530 Subject: [PATCH 20/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 32acbff95e..d3ea4a6ba2 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 21b1e166d0f32dd558e92f8ac6ed74987fa5c2b5 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:28:11 +0530 Subject: [PATCH 21/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3ea4a6ba2..ae0507a14d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 8623f6afa0c04db9fff8840210a7d974085bcfbb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 12:49:50 +0530 Subject: [PATCH 22/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...hared-volumes-and-storage-area-networks-with-bitlocker.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ae0507a14d..dd8155bcdd 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,7 +35,10 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: + +- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. From b78d49c9fed05efd47fd3d0069898dd7e2a74581 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:00:04 +0530 Subject: [PATCH 23/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index dd8155bcdd..7d35481c85 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -48,14 +48,17 @@ For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLo ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: -1. Clear key -2. Driver-based auto-unlock key -3. **ADAccountOrGroup** protector - a. Service context protector - b. User protector -4. Registry-based auto-unlock key +- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. +- BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: + + 1. Clear key + 2. Driver-based auto-unlock key + 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. @@ -125,7 +128,8 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. - 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: + - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. From 3c350893b42d6bbc99511682d7345e6eaec6ab36 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:10:29 +0530 Subject: [PATCH 24/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...volumes-and-storage-area-networks-with-bitlocker.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 7d35481c85..16782434b3 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -129,7 +129,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: - - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. @@ -143,10 +143,14 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". -CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: + +- Utilize the **manage-bde -status** command with a path to the volume. + + The path must be one that is inside the CSV namespace as seen in the example command line below. ```powershell From 8180887bf8fecc42effd88bc3d24e5b099fab5ee Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 14:41:52 +0530 Subject: [PATCH 25/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 16782434b3..06c283bba1 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,16 +35,16 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: - It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -64,7 +64,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: +BitLocker encryption is available for disks before these disks are added to a cluster storage pool. +> [!NOTE] +> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. +The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. +To turn on BitLocker for a disk before adding it to a cluster: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. From d521d9e93347e998f52c548de9c527571ab58896 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 14:53:10 +0530 Subject: [PATCH 26/65] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index fcf11cf7d8..c0a736e299 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,9 +55,11 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as: +- verification of the integrity of the system before it is booted +- multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | -|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| +|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. From 9d80f4d9e23db9f1f12cff95a4890001a6141999 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:29:12 +0530 Subject: [PATCH 27/65] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 2146b82940..05e8f44ec6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,9 +55,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as: -- verification of the integrity of the system before it is booted -- multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as (a) verification of the integrity of the system prior to its booting, and (b) multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| From 6f2fa0d82e9fe78cc6540a00d50d3255e8a9948c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 13 Sep 2022 15:31:12 +0530 Subject: [PATCH 28/65] fixed the warnings --- .../bitlocker/bitlocker-basic-deployment.md | 2 +- .../bitlocker-device-encryption-overview-windows-10.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 05e8f44ec6..06f1349062 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -111,7 +111,7 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| -|--- |--- |--- |--- | +|---|---|---|---| |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index af220e5c22..03b03a3499 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -19,8 +19,7 @@ ms.custom: bitlocker # Overview of BitLocker Device Encryption in Windows 10 -**Applies to** -- Windows 10 +**Applies to:** Windows 10 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). From 60b0b59b3e73bb71f030c264caa7d12febc95af6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 14 Sep 2022 10:40:15 +0530 Subject: [PATCH 29/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3b6788152..53e04dc61e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -31,9 +31,9 @@ Volumes within a cluster are managed with the help of BitLocker based on how the > [!IMPORTANT] > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/). -Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -68,7 +68,7 @@ BitLocker encryption is available for disks before these disks are added to a cl The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker Drive Encryption feature if it isn't already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. @@ -91,7 +91,7 @@ To turn on BitLocker for a disk before adding it to a cluster: When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: -1. Install the BitLocker drive encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it isn't already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -140,16 +140,16 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered, it is enabled for CSV. + - Once the disk is clustered, it's enabled for CSV. 5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. - 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. + 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: @@ -166,7 +166,7 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available. ### Restrictions on BitLocker actions with cluster volumes @@ -277,12 +277,12 @@ The following table contains information about both physical disk resources (tha >Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 -Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . +Some other considerations to take into account for BitLocker on clustered storage include: +- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From e328ccf8e88aa6bbb11816129b356a30c1b0c038 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:34:05 +0530 Subject: [PATCH 30/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2bf30cdb62..2f1f5cd271 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: @@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server, you will also need | Topic | Description | | - | - | | [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | | [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| From 6c54f005ef924b0f10db3da84f22d56cb4b4cdd4 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:37:06 +0530 Subject: [PATCH 31/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2f1f5cd271..33bea27ecf 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 278d1e873b59042228d444c68703e4716737bb85 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:50:15 +0530 Subject: [PATCH 32/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 33bea27ecf..2f1f5cd271 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 72fce29ef366ac20a167e2698ec931be9f6dcc04 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:56:33 +0530 Subject: [PATCH 33/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2f1f5cd271..029ec810fd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 96a6ee7cf1bc6c01ed845f074e1aef3db4f2e5c8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:45:05 +0530 Subject: [PATCH 34/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 029ec810fd..9a6ffdc982 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -95,7 +95,7 @@ When installing the BitLocker optional component on a server, you will also need | [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | From 5e157e3a92a65c9849ef8d4abebd88348028dfa2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:50:19 +0530 Subject: [PATCH 35/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 121 +++--------------- 1 file changed, 17 insertions(+), 104 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 53e04dc61e..afa604d207 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -172,110 +172,23 @@ Unlike CSV2.0 volumes, physical disk resources can only be accessed by one clust The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. -
    ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Action

    On owner node of failover volume

    On Metadata Server (MDS) of CSV

    On (Data Server) DS of CSV

    Maintenance Mode

    Manage-bde –on

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde –off

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde Pause/Resume

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde –lock

    Blocked

    Blocked

    Blocked

    Allowed

    manage-bde –wipe

    Blocked

    Blocked

    Blocked

    Allowed

    Unlock

    Automatic via cluster service

    Automatic via cluster service

    Automatic via cluster service

    Allowed

    manage-bde –protector –add

    Allowed

    Allowed

    Blocked

    Allowed

    manage-bde -protector -delete

    Allowed

    Allowed

    Blocked

    Allowed

    manage-bde –autounlock

    Allowed (not recommended)

    Allowed (not recommended)

    Blocked

    Allowed (not recommended)

    Manage-bde -upgrade

    Allowed

    Allowed

    Blocked

    Allowed

    Shrink

    Allowed

    Allowed

    Blocked

    Allowed

    Extend

    Allowed

    Allowed

    Blocked

    Allowed

    - ->Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. +| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode | +|--- |--- |--- |--- |--- | +|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed| +|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed| +|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed| +|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed| +|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| +|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed| +|**Shrink**|Allowed|Allowed|Blocked|Allowed| +|**Extend**|Allowed|Allowed|Blocked|Allowed| + +> [!NOTE] +> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. From a1df887f6671944604df056b6dfebe5b43f1bc60 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:58:01 +0530 Subject: [PATCH 36/65] resolved comments --- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index e0d12cc32a..20fe2b176d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -19,7 +19,7 @@ ms.custom: bitlocker **Applies to** - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index ff944581f9..1b77d14e1c 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -155,7 +155,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). From 4d71847064fb5c6efa08877119f5bccc36a2e0ee Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 13:50:06 +0530 Subject: [PATCH 37/65] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 334dcb3e62..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,8 +22,8 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. +For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 87448d4ead7a9a986c69db8b2ae433fd074e1727 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 14:36:33 +0530 Subject: [PATCH 38/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 54df9c5536..76cd8bab26 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -102,14 +102,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer:** -1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. +1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. +1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: @@ -150,7 +150,7 @@ If the user does not have a recovery password in a printout or on a USB flash dr - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] @@ -250,9 +250,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. + 1. Select and hold the drive and then select **Change PIN** + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. 3. You will use the new PIN the next time you unlock the drive. ### Lost startup key @@ -263,7 +263,7 @@ If you have lost the USB flash drive that contains the startup key, then you mus 1. Log on as an administrator to the computer that has its startup key lost. 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. +3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**. ### Changes to boot files From 0264341de4b11b7d492b3d811fab1467d2fe43d0 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 14:52:27 +0530 Subject: [PATCH 39/65] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 9a6ffdc982..35d12539cf 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -98,7 +98,7 @@ When installing the BitLocker optional component on a server, you will also need | [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | +| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core | From e2e3e10af45e911f0ef1c473d3dbb1c4b3766625 Mon Sep 17 00:00:00 2001 From: Thorsten Sauter Date: Sun, 25 Sep 2022 04:47:48 -0700 Subject: [PATCH 40/65] Fixed broken link in Hello Planning Guide This fixes the broken link in the WHFB Planning Guide. The link text is the title of the page being linked to. --- .../hello-for-business/hello-planning-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 32137c8e75..e48d058b7b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md. +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md). The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -349,4 +349,4 @@ If boxes **2a** or **2b** read **modern management** and you want devices to aut ## Congratulations, You're Done -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. \ No newline at end of file +Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. From 473dda6385f162cc977e5831789eb83bb3ffe88f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:11:40 +0530 Subject: [PATCH 41/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 7b225fb595..27891404e0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -24,7 +24,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and later -This topic describes how to recover BitLocker keys from AD DS. +This article describes how to recover BitLocker keys from AD DS. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. From f72780a0775f6008e8eaac6f42a95858f9f3c562 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:50:45 +0530 Subject: [PATCH 42/65] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 27891404e0..34a2bde95f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -274,15 +274,6 @@ This error occurs if you updated the firmware. As a best practice, you should su Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. -### Changes to boot files - -This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. - - -## Windows RE and its usage in BitLocker Device Encryption - -Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. - Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. From 5a69cd2eceecf00b57c6da3c690e988a328cec28 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:54:33 +0530 Subject: [PATCH 43/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 926c0e071b13ecee97ae14116a51347f7fba6c71 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:55:05 +0530 Subject: [PATCH 44/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 1cab382ffde0cd1c6f7a3f6ba9d99025252b5718 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:55:31 +0530 Subject: [PATCH 45/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From a684dbd5829aeb6042b75ca8c23c81cce112850f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:56:21 +0530 Subject: [PATCH 46/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 30c45fba094b1c47ad39c149aee8021237df2d53 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:57:03 +0530 Subject: [PATCH 47/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 1b77d14e1c..8df6789baa 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how to plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. From ed4741461d61a6285098c8393990edfb8b1847b2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:03:26 +0530 Subject: [PATCH 48/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 8df6789baa..9c7eba189e 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic for the IT professional explains how to plan BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. +When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. ## Audit your environment From d330f0e687bf42a34d049e31dedb6ab8493eb8c2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:13:46 +0530 Subject: [PATCH 49/65] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 334dcb3e62..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,8 +22,8 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. +For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 271bfaac7de979ed56b3a95d91721a6fa38f564f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:16:10 +0530 Subject: [PATCH 50/65] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 20fe2b176d..79e687ca90 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -21,7 +21,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and later -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 3aaac9b0f5532fe4fda392c248b88bb74070681e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 7 Oct 2022 12:10:54 +0530 Subject: [PATCH 51/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...e-your-organization-for-bitlocker-planning-and-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index ded42ee1ee..1cb9dbb802 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,6 +1,6 @@ --- title: Prepare your organization for BitLocker Planning and policies (Windows 10) -description: This topic for the IT professional explains how can you plan your BitLocker deployment. +description: This article for the IT professional explains how can you plan your BitLocker deployment. ms.reviewer: ms.prod: m365-security ms.localizationpriority: medium @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how to plan BitLocker deployment. +This article for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 8b1c3c1b2431db480857cded47c6750928a62c5f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 7 Oct 2022 15:30:52 +0530 Subject: [PATCH 52/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index afa604d207..1507661978 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -18,7 +18,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. +This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. From ee37385885633c73b62ff700c2adadae7473b918 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:33:09 -0600 Subject: [PATCH 53/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/e6801d00-ac9e-46c8-8b26-370e2dfa083a#CORRECTNESS Line 78: you're > you'll Line 151: only > just Line 186: Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. > Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. --- ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c4962bf5cd..c3e1167342 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -75,7 +75,7 @@ On computers that don't have a TPM version 1.2 or higher, you can still use Bit **Will you support computers without TPM version 1.2 or higher?** -Determine if you're support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine if you'll support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** @@ -148,7 +148,7 @@ The BitLocker Setup wizard provides administrators the ability to choose the Use Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. -With Used Disk Space Only, only the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From f9ce39eb536a3d9b73856ee06b8ff8b75bfaf1d9 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:40:13 -0600 Subject: [PATCH 54/65] Update windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md This sentence might be confusing. Maybe these commas would help? --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c3e1167342..4095417001 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. +- Recovery unlock, using the FIPS-compliant, algorithm-based recovery password protector, works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From d75c01535795957c1098d75a6cc2c6c7a9f478ce Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:46:14 -0600 Subject: [PATCH 55/65] Update bitlocker-countermeasures.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/cfaa7d44-e8a7-4281-924f-33dcd42ad82f#CORRECTNESS Line 85: a standard sign in > a standard sign-in Line 87: the user enter > the user enters Line 133: physically-present > physically present (Suggestion: An attacker who is physically present...) --- .../bitlocker/bitlocker-countermeasures.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 5270498276..68889e3dcd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -82,9 +82,9 @@ This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. -- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. +- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. In the following group policy example, TPM + PIN is required to unlock an operating system drive: @@ -130,7 +130,7 @@ This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. +A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. This is the default configuration. From c013cf51314df99340864ce636b47f32014b08a2 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:48:11 -0600 Subject: [PATCH 56/65] Update bitlocker-recovery-guide-plan.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/2b6b5714-3222-4576-ac40-82f45f656a17#CORRECTNESS Line 475: Backup >Back up --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 34a2bde95f..2d622dbe34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -472,7 +472,7 @@ You can reset the recovery password in two ways: ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS. +4. Back up the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} From 1cbedb5204a84c6dabf258fbeed40c4e2785fbeb Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:51:56 -0600 Subject: [PATCH 57/65] Update prepare-your-organization-for-bitlocker-planning-and-policies.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/abe1d71a-f2e5-4c62-bb68-030266f1f300#CORRECTNESS Line 78: you're > you'll Line 151: Space Only, only > Space Only, just Line 186: - Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. > - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. --- ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c4962bf5cd..c3e1167342 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -75,7 +75,7 @@ On computers that don't have a TPM version 1.2 or higher, you can still use Bit **Will you support computers without TPM version 1.2 or higher?** -Determine if you're support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine if you'll support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** @@ -148,7 +148,7 @@ The BitLocker Setup wizard provides administrators the ability to choose the Use Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. -With Used Disk Space Only, only the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From 81d0e59f9cfd257e38bab217a6371045c1e37a98 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:05:20 -0600 Subject: [PATCH 58/65] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 39: don''t > don't --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 5e52289f83..ecd80d741d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -36,7 +36,7 @@ Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded - It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. @@ -202,4 +202,3 @@ Some other considerations to take into account for BitLocker on clustered storag - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. - From 53344faa94016544a05f7cc46612cebc61b8c942 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:18:35 -0600 Subject: [PATCH 59/65] Update windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 36: Replace hyphen with emdash and add period. --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ecd80d741d..a20558db31 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -33,7 +33,7 @@ Volumes within a cluster are managed with the help of BitLocker based on how the Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool +- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool. - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. From 8f1602a8f9ec8f9ec0b8051345aecf57accf4f01 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Tue, 18 Oct 2022 14:33:07 -0700 Subject: [PATCH 60/65] 37747389 - Changing max file version of LIBNICM driver --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 60c69d5e81..42ad4cc7e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -769,7 +769,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + From b6a2c50d732534ce2a634fb4d901b2bebf80ad97 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:55:54 -0600 Subject: [PATCH 61/65] Apply suggestions from code review Lines 55-58: Separate lines in step items. --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index a20558db31..8a767976cc 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -53,8 +53,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 1. Clear key 2. Driver-based auto-unlock key 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key > [!NOTE] From 470dbff85cef133da0e34c715ffeda79435e2dd2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Oct 2022 15:09:07 +0530 Subject: [PATCH 62/65] Update essential-services-and-connected-experiences.md --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index cac24b1acb..70a53c988b 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) | ## Windows connected experiences From 1c6dfd795ac57334d9a9e3531c507b351a3f640f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Oct 2022 15:15:51 +0530 Subject: [PATCH 63/65] Update essential-services-and-connected-experiences.md --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 70a53c988b..cac24b1acb 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | ## Windows connected experiences From 0d506dc8909fbf18f3e85471f0fa6d70f8b743ba Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 19 Oct 2022 09:26:54 -0400 Subject: [PATCH 64/65] removed #preview --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index e48d058b7b..a50d39c2dc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md). +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](./hello-hybrid-cloud-kerberos-trust.md). The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. From b916f21df9e9f506c14bf4e5d21a2f80377508c7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 19 Oct 2022 09:37:08 -0400 Subject: [PATCH 65/65] [EDU] Metadata updates to docfx --- education/docfx.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/docfx.json b/education/docfx.json index e6749db811..df077d1783 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -30,8 +30,8 @@ "recommendations": true, "ms.topic": "article", "ms.collection": "education", - "ms.prod": "windows", - "ms.technology": "windows", + "ms.prod": "windows-client", + "ms.technology": "itpro-edu", "author": "paolomatarazzo", "ms.author": "paoloma", "manager": "aaroncz",