deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-31 12:20:37 -04:00
parent 3ca04eca1e
commit bd2ea23b46
1 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
View File

@ -120,22 +120,16 @@ The benefit of using a DRA over password or key recovery is that the DRA acts as
To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.
1. If a key usage attribute is present, it must be one of the following:
- `CERT_DATA_ENCIPHERMENT_KEY_USAGE`
- `CERT_KEY_AGREEMENT_KEY_USAGE`
- `CERT_KEY_ENCIPHERMENT_KEY_USAGE`
1. If an enhanced key usage (EKU) attribute is present, it must be one of the following:
1. If a key usage attribute is present, it must be one of the following:
- `CERT_DATA_ENCIPHERMENT_KEY_USAGE`
- `CERT_KEY_AGREEMENT_KEY_USAGE`
- `CERT_KEY_ENCIPHERMENT_KEY_USAGE`
1. If an enhanced key usage (EKU) attribute is present, it must be one of the following:
- As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1`
- Any EKU object identifier supported by your certification authority (CA)
1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption**
1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device
1. Configure the following policy settings to allow recovery using a DRA for each drive type:
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)