From ed0f1ab083e42d911648e0ae1adefe275109c803 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 19 Oct 2023 15:33:03 -0400 Subject: [PATCH] operations guide --- .../data-protection/bitlocker/index.md | 8 ++- .../bitlocker/manage-recovery-passwords.md | 16 ++++++ .../bitlocker/planning-guide.md | 2 +- .../bitlocker/preboot-recovery-screen.md | 2 +- .../bitlocker/recovery-guide-repair-tool.md | 57 ++++++++++--------- .../bitlocker/recovery-guide.md | 17 ++---- 6 files changed, 59 insertions(+), 43 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index 186b5afa68..9e748adad7 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -101,6 +101,11 @@ Unlike a standard BitLocker implementation, device encryption is enabled automat - If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials - If a device uses only local accounts, then it remains unprotected even though the data is encrypted +> [!IMPORTANT] +> Device encryption uses the `XTS-AES 128-bit` encryption method, by default. In case you configure a policy setting to use a different encryption method, you can use the Enrollment Status Page to avoid the device to begin encryption with the default method. BitLocker has a logic that doesn't start encrypting until the end of OOBE, after the Enrollment Status Page device configuration phase is complete. This logic gives a device enough time to receive the BitLocker policy settings before starting encryption. +> +> If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device is decrypted, you can apply different BitLocker settings. + If a device doesn't initially qualify for device encryption, but then a change is made that causes the device to qualify (for example, turn *Secure Boot* on), device encryption enables BitLocker automatically as soon as it detects it (unless device encryption is disabled). You can check whether a device meets requirements for device encryption in the System Information app (`msinfo32.exe`). If the device meets the requirements, System Information shows a line that reads: @@ -109,9 +114,6 @@ You can check whether a device meets requirements for device encryption in the S |-|-| |Device Encryption Support | Meets prerequisites| -> [!NOTE] -> Device encryption uses the `XTS-AES 128-bit` encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device is decrypted, you can apply different BitLocker settings. - ### Difference between BitLocker and device encryption - Device encryption turns on BitLocker automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account diff --git a/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords.md b/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords.md index f3c545e4ed..ef155dc0fc 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords.md @@ -98,3 +98,19 @@ The following procedures describe the most common tasks performed by using the B 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password** 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search** 1. Once the recovery password is located, you can use the previous procedure to copy it + + +## Rotate keys + +>[!TIP] +> For Microsoft Entra joined devices, the recovery password should be stored in Microsoft Entra ID +> For Active Directoy domain-joined devices, including servers, the recovery password should be stored in AD DS + +SCCM rotate keys: /mem/configmgr/protect/deploy-use/bitlocker/recovery-service#rotate-keys +Intune rotate keys: /mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys + +Prerequisites: + +Client-driven recovery password rotation to Enable rotation on Azure AD-joined devices or Enable rotation on Azure AD and Hybrid-joined devices +Save BitLocker recovery information to Azure Active Directory to Enabled +Store recovery information in Azure Active Directory before enabling BitLocker to Required diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md index de4112b87f..a9c2428505 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md @@ -171,7 +171,7 @@ BitLocker integrates with Microsoft Entra ID and Active Directory Domain Service The following recovery data is saved for each computer object: - *Recovery password*: a 48-digit recovery password used to recover a BitLocker-protected volume. Users must enter this password to unlock a volume when BitLocker enters recovery mode -- *Key package data*: with the key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID +- *Key package*: with the key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID ## FIPS support for recovery password protector diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md index 5bc7fa6aee..ec0e96e988 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md @@ -5,7 +5,7 @@ ms.collection: - highpri - tier1 ms.topic: concept-article -ms.date: 10/11/2023 +ms.date: 10/19/2023 --- # BitLocker preboot recovery screen diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md index 0508673a83..cc4a140187 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide-repair-tool.md @@ -8,56 +8,59 @@ ms.topic: how-to ms.date: 09/29/2023 --- -# Repair tool -Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. +## BitLocker key package -### BitLocker key package +The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** policy setting must be selected in the policy that controls the recovery method. The key package can also be exported from a working volume. -If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password. +If recovery information is not backed up to AD DS, or if you want to save a key package in an alternative location, use the following command to generate a key package for a volume: + + ``` cmd +manage-bde.exe -KeyPackage C: -id -path +``` + +A file with a `.kpg` extension is created in the specified path. > [!NOTE] -> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package. +> To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume. -The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieve-the-bitlocker-key-package). -## Retrieve the BitLocker key package -Two methods can be used to retrieve the key package as described in Using Additional Recovery Information: +## BitLocker Repair tool -Export a previously saved key package from AD DS. Read access is required to BitLocker recovery passwords that are stored in AD DS. +If the recovery methods discussed earlier in this document don't unlock the volume, the *BitLocker Repair tool* (`repair-bde.exe`) can be used to decrypt the volume at the block level. The tool uses the *BitLocker key package* to help recover encrypted data from severely damaged drives. -Export a new key package from an unlocked, BitLocker-protected volume. Local administrator access to the working volume is required before any damage occurred to the volume. +> [!IMPORTANT] +> The *BitLocker key package* can be stored in Active Directory Domain Services (AD DS), not in Microsoft Entra ID. - strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword") - strKeyPackage = objFveInfo.Get("msFVE-KeyPackage") +The recovered data can then be used to salvage encrypted data, even if the correct recovery password fails to unlock the damaged volume. It's recommended to still save the recovery password, as a key package can't be used without the corresponding recovery password. -### Repair tool +### Retrieve the BitLocker key package -The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier +To export a previously saved key package from AD DS, it's required to have read access to the BitLocker recovery passwords and key packages that are stored in AD DS. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). -> [!TIP] -> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume: -> -> `manage-bde.exe -KeyPackage` +To learn more about the BitLocker attributes stored in AD DS, review the following articles: -The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions: +- [ms-FVE-KeyPackage attribute](/windows/win32/adschema/a-msfve-keypackage) +- [ms-FVE-RecoveryPassword attribute](/windows/win32/adschema/a-msfve-recoverypassword) -- The drive is encrypted using BitLocker Drive Encryption -- Windows doesn't start, or the BitLocker recovery console can't start +## BitLocker Repair tool + +The Repair Tool can reconstruct critical parts of a drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. + +Use the Repair tool in the following conditions: + +- The drive is encrypted using BitLocker +- Windows doesn't start, or the BitLocker recovery screen doesn't start - There isn't a backup copy of the data that is contained on the encrypted drive > [!NOTE] -> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. +> Damage to the drive may not be related to BitLocker. Therefore, it's recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides more options to repair Windows. The following limitations exist for Repair-bde: -- it can't repair a drive that failed during the encryption or decryption process +- it can't repair a drive that failed *during* the encryption or decryption process - it assumes that if the drive has any encryption, then the drive is fully encrypted For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)). - diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md index bb17d3945d..a53aaf502b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md @@ -14,10 +14,12 @@ This article describes how to recover BitLocker keys from Microsoft Entra ID and ## What is BitLocker recovery? -BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available: +BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism. -- The user can supply a *recovery password*: if the organization allows users to print or store recovery passwords, the users can enter the 48-digit recovery password -- *Data recovery agents* can use their credentials to unlock the drive: if the drive is an operating system drive, the drive must be mounted as a data drive on another device for the data recovery agent to unlock it +In a recovery scenario, the following options to restore access to the drive may be available: + +- The user can supply a *recovery password*, if available. A recovery password must be allowed by policy settings, so that users can print or save it. The recovery password is a 48-digit string +- *Data recovery agents* can use their credentials to unlock the drive, if configured.If the drive is an operating system drive, the drive must be mounted as a data drive on another device for the data recovery agent to unlock it - An administrator can obtain the *recovery password* from Microsoft Entra ID or AD DS and use it to unlock the drive. Storing recovery passwords in Microsoft Entra ID or AD DS is recommended to provide a way to obtain recovery passwords for drives in an organization if needed. This method requires to enable the policy settings: - [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) - [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) @@ -37,28 +39,21 @@ The following list provides examples of common events that causes BitLocker to e - Turning off, disabling, deactivating, or clearing the TPM - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade - Forgetting the PIN when PIN authentication has been enabled -- Updating option ROM firmware - Upgrading TPM firmware - Adding or removing hardware - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer -- Changes to the master boot record on the disk - Changes to the boot manager on the disk - Hiding the TPM from the operating system -- Using a different keyboard that doesn't correctly enter the PIN -- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. +- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile - Moving the BitLocker-protected drive into a new computer - Upgrading the motherboard to a new one with a new TPM -- Losing the USB flash drive containing the startup key when startup key authentication has been enabled - Failing the TPM self-test -- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode - Changing the usage authorization for the storage root key of the TPM to a non-zero value > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr) -- Pressing the F8 or F10 key during the boot process -- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive > [!NOTE]