diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md index ecc9f64823..6eac3ac628 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md @@ -1,6 +1,6 @@ --- title: Protect cluster shared volumes and storage area networks with BitLocker -description: Learn how to how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker. +description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker. ms.topic: how-to ms.date: 10/30/2023 appliesto: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml index 597916975d..3973bbbe52 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml @@ -295,7 +295,7 @@ sections: answer: | If BitLocker is enabled on a drive before policy settings are applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when the policy settings are subsequently applied. However, the policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS. - For more information how to backup the recovery password to AD DS or Microsoft Entra ID, review the [BitLocker operations guide](operations-guide.md). + For more information how to back up the recovery password to AD DS or Microsoft Entra ID, review the [BitLocker operations guide](operations-guide.md). > [!IMPORTANT] > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled with policy settings). diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md index 0c01ec789f..6b2a94a216 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md @@ -12,8 +12,8 @@ With this policy you can configure a numeric recovery password rotation upon use Possible values are: - `0`: numeric recovery password rotation is turned off -- `1`: numeric recovery password rotation upon use is *on* for Microsoft Entra joined devices joined devices. This is also the default value -- `2`: numeric recovery password rotation upon use is *on* for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices +- `1`: numeric recovery password rotation upon use is *on* for Microsoft Entra–joined devices. This is also the default value +- `2`: numeric recovery password rotation upon use is *on* for both Microsoft Entra–joined devices and Microsoft Entra hybrid joined devices > [!NOTE] > The Policy is effective only when Micropsoft Entra ID or Active Directory backup for recovery password is configured to *required* diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md index d8d9c185d5..26f07df41c 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md @@ -9,7 +9,7 @@ ms.topic: include This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. -- When enabled , the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. +- When enabled, the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. - When disabled or not configured, the TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md index 31d79ef163..dc9d8d2b23 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md @@ -9,20 +9,20 @@ ms.date: 10/30/2023 # BitLocker operations guide -There are differnt tools and options to manage and operate BitLocker: +There are different tools and options to manage and operate BitLocker: - the BitLocker PowerShell module - the BitLocker drive encryption tools - Control Panel -The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They are appropriate to use for automated deployments and other scripting scenarios.\ +The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They're appropriate to use for automated deployments and other scripting scenarios.\ The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks. This article describes the BitLocker management tools and how to use them, providing practical examples. ## BitLocker PowerShell module -The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, che the [BitLocker PowerShell reference article](/powershell/module/bitlocker). +The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article](/powershell/module/bitlocker). ## BitLocker drive encryption tools @@ -108,7 +108,7 @@ Checking BitLocker status with the Control Panel is a common method used by most | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the Control Panel, PowerShell or `manage-bde.exe` tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the Control Panel, PowerShell or `manage-bde.exe` to add an appropriate key protector. Once complete, the Control Panel updates to reflect the new status. --- @@ -135,7 +135,7 @@ From the **BitLocker Drive Encryption** Control Panel applet: 1. Expand the OS drive and select the option **Turn on BitLocker** 1. When prompted, select the option **Let BitLocker automatically unlock my drive** -1. Backup the *recovery key* using one of the following methods: +1. Back up the *recovery key* using one of the following methods: - **Save to your Microsoft Entra ID account** or **Microsoft Account** (if applicable) - **Save to a USB flash drive** @@ -143,7 +143,7 @@ From the **BitLocker Drive Encryption** Control Panel applet: - **Print the recovery key** 1. Select **Next** -1. Chose one of the options to **encrypt used disk space only** or **encrypt entire drive** and select **Next** +1. Choose one of the options to **encrypt used disk space only** or **encrypt entire drive** and select **Next** - **Encrypt used disk space only** - Encrypts only disk space that contains data - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption @@ -209,7 +209,7 @@ If prompted, reboot the computer to complete the encryption process. #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -The Control Panel applet doesn't allow to enable BitLocker and add a startup key protector at the same time. To add a startup key protector, follow these steps: +The Control Panel applet doesn't allow enabling BitLocker and adding a startup key protector at the same time. To add a startup key protector, follow these steps: - From the **BitLocker Drive Encryption** Control Panel applet, under the OS drive, select the option **Change how drive is unlocked at startup** - When prompted, select the option **Insert a USB flash drive** @@ -269,9 +269,9 @@ Encrypting data volumes using the BitLocker Control Panel works in a similar fas ## Manage BitLocker protectors -The management of BitLocker protectors consist in adding, removing, and backing up protectors. +The management of BitLocker protectors consists in adding, removing, and backing up protectors. -Follow the instructions below manage BitLocker protectors, selecting the option that best suits your needs. +Managed BitLocker protectors by using the following instructions, selecting the option that best suits your needs. ### List protectors @@ -291,7 +291,7 @@ The list of protectors available for a volume (`C:` in the example) can be liste #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -This information is not available in the Control Panel. +This information isn't available in the Control Panel. --- @@ -384,7 +384,7 @@ manage-bde.exe -protectors -add -sid #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -This option is not available in the Control Panel. +This option isn't available in the Control Panel. --- @@ -438,7 +438,7 @@ From the **BitLocker Drive Encryption** Control Panel applet, expand the drive w Some configuration changes may require to suspend BitLocker and then resume it after the change is applied. -Follow the instructions below to suspend and resume BitLocker, selecting the option that best suits your needs. +Suspend and resume BitLocker by using the following instructions, selecting the option that best suits your needs. ### Suspend BitLocker @@ -484,7 +484,7 @@ From the **BitLocker Drive Encryption** Control Panel applet, select the OS driv ## Reset and backup a recovery password -It's recommended to invalidate a recovery password after its use. In this example the recovery password protector is removed from the OS drive, a new protector added, and backed up to Microsoft Entra ID or Active Direcroty. +It's recommended to invalidate a recovery password after its use. In this example the recovery password protector is removed from the OS drive, a new protector added, and backed up to Microsoft Entra ID or Active Directory. #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) @@ -513,13 +513,13 @@ Obtain the ID of the new recovery password: Copy the ID of the recovery password from the output. -Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to backup the recovery password to Microsoft Entra ID: +Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to back up the recovery password to Microsoft Entra ID: ```PowerShell BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}" ``` -Or use the following command to backup the recovery password to Active Directory: +Or use the following command to back up the recovery password to Active Directory: ```PowerShell Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}" @@ -551,13 +551,13 @@ manage-bde.exe -protectors -get C: -Type RecoveryPassword > [!NOTE] >This following steps are not required if the policy setting [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) is configured to **Require BitLocker backup to AD DS**. -Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to backup the recovery password to Microsoft Entra ID: +Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to back up the recovery password to Microsoft Entra ID: ```cmd manage-bde.exe -protectors -aadbackup C: -id {ID} ``` -Or use the following command to backup the recovery password to Active Directory: +Or use the following command to back up the recovery password to Active Directory: ```cmd manage-bde.exe -protectors -adbackup C: -id {ID} @@ -576,11 +576,11 @@ This process can't be accomplished using the Control Panel. Use one of the other Disabling BitLocker decrypts and removes any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step. -Follow the instructions below to disable BitLocker, selecting the option that best suits your needs. +Disable BitLocker by using the following instructions, selecting the option that best suits your needs. #### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) -Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the following example, the user has three encrypted volumes, which they wish to decrypt. Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md index 93a6b1659a..8622cd6346 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md @@ -7,7 +7,7 @@ ms.date: 10/30/2023 # BitLocker planning guide -A BitLocker deployment strategy includes definining the appropriate policies and configuration requirements based on your organization's security requirements. This article helps collecting the information to assist with a BitLocker deployment. +A BitLocker deployment strategy includes defining the appropriate policies and configuration requirements based on your organization's security requirements. This article helps collecting the information to assist with a BitLocker deployment. ## Audit the environment @@ -40,7 +40,7 @@ The TPM is able to securely protect the BitLocker encryption key while it is at ### BitLocker key protectors -To protect the BitLocker encryption key, BitLocker can use different types of *protectors*. When enabling BitLocker, each protector receives a copy of the *Volume Master Key*, which is then encrypted using its own machanism. +To protect the BitLocker encryption key, BitLocker can use different types of *protectors*. When enabling BitLocker, each protector receives a copy of the *Volume Master Key*, which is then encrypted by using its own mechanism. | Key protector | Description | |--|--| @@ -189,7 +189,7 @@ For more information about how to configure Network unlock feature, see [Network ## BitLocker recovery -Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when it comes to implement a BitLocker recovery model, which are described in the [BitLocker recovery overview](recovery-overview.md). +Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when implementing a BitLocker recovery model, which are described in [BitLocker recovery overview](recovery-overview.md). ## Monitor BitLocker diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index 7f7dba7564..e21bdcd46a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -12,7 +12,7 @@ ms.date: 10/30/2023 If a device or drive fails to unlock using the configured BitLocker mechanism, users may be able to self-recover it. If self-recovery isn't an option, or the user is unsure how to proceed, the helpdesk should have procedures in place to retrieve recovery information quickly and securely. -This article outlines the process of obtaining BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices. It's assumed that the reader is already familiar with configuring devices to automatically backup BitLocker recovery information, and the available BitLocker recovery options. For more information, see the [BitLocker recovery overview](recovery-overview.md) article. +This article outlines the process of obtaining BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices. It's assumed that the reader is already familiar with configuring devices to automatically back up BitLocker recovery information, and the available BitLocker recovery options. For more information, see the [BitLocker recovery overview](recovery-overview.md) article. ## Self-recovery