![]() In each of these policies, select Save BitLocker recovery information to Active Directory Domain Services and then choose which BitLocker recovery information to store in AD DS. Choose how BitLocker-protected removable drives can be recovered.Choose how BitLocker-protected fixed drives can be recovered.Choose how BitLocker-protected operating system drives can be recovered.The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive: If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs), or automatically back up recovery information. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. Where do you want to store the BitLocker recovery keys?ĭo you want to enable recovery password rotation?Īnswering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. How much do you want users to be involved in the BitLocker configuration process? Do you want users to interact with the process, be silent, or both? ![]() How does the organization perform smart card PIN resets?Īre users allowed to save or retrieve recovery information for the devices that they own? How does the organization handle lost or forgotten passwords? When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For more information, review the article BitLocker preboot recovery screen. It's recommended to configure policy settings to customize the preboot recovery screen, for example by adding a custom message, URL, and help desk contact information. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.īoth the Recovery password and Recovery key can be supplied by users in the Control Panel applet (for data and removable drives), or in the preboot recovery screen. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.įor planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Root cause analysis might help to prevent the problem from occurring again in the future.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |