deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 03:13:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

operations guide

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-10-20 15:21:34 -04:00
parent 463f13f12c
commit f6a39582df
2 changed files with 31 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
View File

@ -43,19 +43,19 @@ To protect the BitLocker encryption key, BitLocker can use different types of *p
| Key protector | Description |
|--|--|
| **Auto-unlock** | Used to automatically unlock volumes that do not host an operating system. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. |
| **Auto-unlock** | Used to automatically unlock volumes that don't host an operating system. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. |
| **Password** and **Password for OS drive**| To unlock a drive, the user must supply a password. When used for OS drives, the user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic, therefore it doesn't protect against brute force attacks. |
| **Startup key** | An encryption key that can be stored on removable media, with a file name format of `<protector_id>.bek`. The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device. |
| Smart card certificate | Used to unlock volumes that do not host an operating system. To unlock a drive, the user must use a smart card. |
| **Smart card certificate** | Used to unlock volumes that do not host an operating system. To unlock a drive, the user must use a smart card. |
| **TPM** | A hardware device used to help establish a secure root-of-trust, validating early boot components. The TPM protector can only be used with the OS drive. |
| **TPM + PIN** | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable. |
| **TPM + Startup key** | The TPM successfully validates early boot components. The user must insert a USB drive containing the startup key before the OS can boot. |
| **TPM + Startup key + PIN** | The TPM successfully validates early boot components. The user must enter the correct PIN and insert a USB drive containing the startup key before the OS can boot. |
| Recovery password | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. |
| **Recovery password** | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. |
| **TPM + Network Key** | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of OS volumes while maintaining multifactor authentication. This key protector can only be used with OS volumes. |
| **Recovery key** | An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `<protector_id>.bek`. |
| **Data Recovery Agent** | A Data Recovery Agent (DRA) is a certificate-based key protector that can be used to access any BitLocker encrypted drives that is configured with the public key protector. |
| **Active Directory user or group** | A protector that is based on an Active Directory user or group security identified (SID). |
| **Data Recovery Agent** | Data recovery agents (DRA) are Active Directory security principals whose public key infrastructure (PKI) certificates are used as BitLocker key protector. DRAs can use their credentials to unlock drives using the private key of the certificate used as key protector.|
| **Active Directory user or group** | A protector that is based on an Active Directory user or group security identified (SID). Data drives are automatically unlocked when such users attempt to access them. |
#### Support for devices without TPM

28
windows/security/operating-system-security/data-protection/bitlocker/recovery-guide.md
View File

@ -152,7 +152,31 @@ A file with a file name format of `BitLocker Key Package {<id>}.KPG` is created
> [!NOTE]
> To export a new key package from an unlocked, BitLocker-protected volume, local administrator access to the working volume is required before any damage occurrs to the volume.
## Data Recovery Agents
#### Data Recovery Agents
DRAs are useful for help desk scenarios where the help desk can unlock a BitLocker-protected drive by connecting the drive to a device that contains the certificate of a DRA. The DRA protector option must be configured before enabling BitLocker on a drive.
DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.
> [!NOTE]
> DRAs can be published in Active Directory, but not in Microsoft Entra ID.
To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
1. Create a DRA certificate, which must contain the *BitLocker Data Recovery Agent* OID `1.3.6.1.4.1.311.67.1.2` in the EKU extension
1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption**
1. Configure the following policy setting, accourding to your organization's policy: [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization)
1. Configure the following policy settings to allow recovery using a DRA for each drive type:
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
## Next steps
> [!div class="nextstepaction"]
> Learn about the process to unlock a BitLocker-protected volume, and suggested practices:
>
> [BitLocker recovery process >](operations-guide.md)
>
> Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status:
>
> [BitLocker recovery process >](operations-guide.md)