deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Reorganization

Browse Source
This commit is contained in:
Teresa-Motiv 2019-09-25 11:18:09 -07:00
parent 90ba97333f
commit 036dc14dac
9 changed files with 227 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/information-protection/TOC.md
View File

@ -30,10 +30,10 @@
#### [BitLocker cannot encrypt a drive--known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md)
#### [BitLocker recovery--known issues](bitlocker\ts-bitlocker-recovery-issues.md)
#### [Enforcing BitLocker policies by using Intune--known issues](bitlocker\ts-bitlocker-intune-issues.md)
#### Troubleshoot BitLocker and TPM issues
#### [BitLocker Network Unlock--known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)#### Troubleshoot BitLocker and TPM issues
##### [BitLocker cannot encrypt a drive--known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md)
##### [BitLocker and TPM--known issues](bitlocker\ts-bitlocker-tpm-issues.md)
##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md)
#### [BitLocker Network Unlock--known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)
## [Encrypted Hard Drive](encrypted-hard-drive.md)

BIN
windows/security/information-protection/bitlocker/images/4509186_en_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

11
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -18,12 +18,15 @@ ms.date: 9/19/2019
The following list describes common issues that can occur that prevent BitLocker from encrypting a drive, linked to guidance for addressing the issues.
> [!NOTE]
> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive--known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
<a id="list"></a>
- [Cannot turn on BitLocker encryption on Windows 10 Professional](#scenario-1)
- [Error 0x80310059 when you turn on BitLocker encryption on Windows 10 Professional](#scenario-1)
- ["Access is denied" message when you try to encrypt removable drives](#scenario-2)
## <a id="scenario-1"></a>Cannot turn on BitLocker encryption on Windows 10 Professional
## <a id="scenario-1"></a>Error 0x80310059 when you turn on BitLocker encryption on Windows 10 Professional
When you turn on BitLocker encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
@ -69,7 +72,7 @@ You receive this message on any computer that runs Windows 10 version 1607 or ve
The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
To verify the presence of this issue, follow these steps:
To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated Powershell window.
@ -107,5 +110,3 @@ To verify the presence of this issue, follow these steps:
The issue should now be resolved.
[Back to list](#list)

110
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md Normal file
View File

@ -0,0 +1,110 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description:
ms.reviewer:
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
author: Teresa-Motiv
ms.author: v-tea
manager: kaushika
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 9/19/2019
---
# BitLocker cannot encrypt a drive&mdash;known TPM issues
The following list describes common issues that can involve the Trusted Platform Module (TPM) that prevent BitLocker from encrypting a drive, linked to guidance for addressing the issues.
> [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive--known issues](ts-bitlocker-cannot-encrypt-issues.md).
<a id="list"></a>
- [TPM is locked, message "The TPM is defending against dictionary attacks and is in a time-out period"](#scenario-1)
- [Cannot prepare the TPM, message "The TPM is defending against dictionary attacks and is in a time-out period"](#scenario-2)
- [Cannot prepare the TPM, error 0x80070005 "Insufficient Rights"](#scenario-3)
- [Cannot prepare the TPM, error 0x80072030 "There is no such object on the server"](#scenario-4)
## <a id="scenario-1"></a>TPM is locked, message "The TPM is defending against dictionary attacks and is in a time-out period"
Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
TPM Lockout
### Resolution
open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure BitLocker (we use some scripts, but the GUI is also ok J)
## <a id="scenario-2"></a>Cannot prepare the TPM, getting message "The TPM is defending against dictionary attacks and is in a time-out period"
[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/help/4327939)
This Surface Pro 3 was shipped with Windows 10 and reimaged with Windows 8.1. BitLocker can not be enabled.
The TPM on this computer is currently locked out.
Classification Path: Routing Surface Pro\Software Issues (Windows 8.1)\BitLocker or device encryption
### Resolution
When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we received the error "The TPM is defending against dictionary attacks and is in a time-out period." We rebooted into BIOS, disabled TPM and when we booted into OS, the tpm.msc showed “Compatible Trusted Platform Module (TPM) cannot be found on this computer. verify that this computer has 1.2 TPM and its is turned on in the BIOS “ We then booted into BIOS, enabled the TPM and then we found that it required us to clear the existing TPM keys and rebooted. Now, we were able to successfully prepare the TPM and the TPM state was “ready for use”. Now, we started the encryption on OS drive with TPM protector and the encryption was successful.
[Back to list](#list)
## <a id="scenario-3"></a>Cannot prepare the TPM, error 0x80070005 "Insufficient Rights"
Unable to backup TPM Information to ADDS.
### Cause
Insufficient permissions for SELF on TPM Devices Container.
### Resolution
1. Problem - LDAP trace between client and DC to find cause of ACCESS DENIED error 0x80070005 - 12/20/2016 12:52 AM
Errors seen in the LDAP traces : ldap\_modify call for CN=TestOU,CN=TPM Devices,DC=XYZ,DC=com which is failing with Insufficient Rights.
1. Run following command to identify the TPM Attributes :
Get-ADComputer -Filter {Name -like "TPMTest"} -Property 1. | Format-Table name,msTPM-TPMInformationForComputer TPMTest Is the name of my test computer which has the attribute filled.
1. Provided proper permissions of SELF:
Reference: [https://internal.support.services.microsoft.com/help/4337282](https://internal.support.services.microsoft.com/help/4337282)
[Back to list](#list)
## <a id="scenario-4"></a>Cannot prepare the TPM, Error 0x80072030 "There is no such object on the server"
Reference: [https://internal.support.services.microsoft.com/help/4319021](https://internal.support.services.microsoft.com/help/4319021)
Support Topic: Routing Windows V3\Group Policy\Managing BitLocker configuration through Group Policy
We have already run the adprep as mention when we did a upgrade to our domain a while ago.
We have GPO setup for storing the keys and tpm info as well.
Prepare the TPM gives error:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
### Cause
Add-TPMSelfWriteACE.vbs {available?}
### Resolution
DC: Windows Server 2012 r2. The attributes include ms-TPM-OwnerInformation and msTPM-TpmInformationForComputer are present.
We noticed that he had not added the self-write permissions for the computer objects. So, we downloaded the script Add-TPMSelfWriteACE.vbs and modified the value of strPathToDomain to your domain.Post modification, ran Add-TPMSelfWriteACE.vbs and it ran successfully.We then discovered that the domain and forest functional level are still at 2008 R2 and we wanted to update them first Post updating the domain and forest functional level and setting the required permissions , he confirmed that he was able to successfully back up the TPM information to Active Directory without error : “0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled”.
- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
[Back to list](#list)

6
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -1,7 +1,7 @@
---
title: BitLocker configuration known issues
description:
ms.reviewer:
ms.reviewer: kaushika
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
@ -11,11 +11,13 @@ manager: kaushika
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 9/19/2019
ms.date: 9/25/2019
---
# BitLocker configuration&mdash;known issues
The following list describes common issues that involve your BitLocker configuration and BitLocker's general functionality, linked to guidance for addressing the issues.
<a id="list"></a>
- [In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7](#scenario-1)

55
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -22,10 +22,12 @@ On the portal, you should see the BitLocker encryption failing as shown here:
![](./images/4509189_en_1.png)
Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **BitLocker API**.
Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **BitLocker API**. In addition, check your BitLocker policy settings as described in [Reviewing BitLocker policy](#prelim).
The following sections provide more information about resolving the following events and error messages:
<a id="list"></a>
- [Event ID 853: TPM not available](#issue-1)
- [Event ID 853: Bootable media detected](#issue-2)
- [Event ID 854: WinRE not configured](#issue-3)
@ -36,6 +38,57 @@ The following sections provide more information about resolving the following ev
For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## <a id="prelim"></a>Reviewing BitLocker policy
When troubleshooting BitLocker policy enforcement issues, start by reading the following KB: [4502023](https://internal.support.services.microsoft.com/en-us/help/4502023) - Intune: Requirements for automatic Bitlocker encryption during AAD join (<https://internal.support.services.microsoft.com/en-us/help/4502023>)
Continue below for additional information and troubleshooting tips.
BitLocker enforcement on the end device can be of three types:
- Automatic (during AADJ for Windows v 1703+) [I sent this in my previous email]
- Silent (Endpoint protection policy for Windows v 1803+)
- Interactive (Endpoint policy for pre Windows v 1803)
If your device supports modern Standby (Instant Go) and is HSTI compliant, AADJ will trigger automatic device encryption for Windows version 1703 and above. This does not requires the admin to enforce/deploy an endpoint protection policy.
If your device is HSTI compliant but does not supports modern Standby (Instant Go), you would require an endpoint protection policy to enforce silent Bitlocker encryption. Below settings allow for the same.
![](./images/4509186_en_1.png)
The OMA-URI reference for the above settings:
- OMA-URI: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
Value Type: Integer
Value: 1  (1 = Require, 0 = Not Configured)
- OMA-URI: ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption
Value Type: Integer
Value: 0 (0 = Blocked, 1 = Allowed)
> [!NOTE]
> If the setting **Waiting for other disk encryption** is set to **Not configured**, then user receives the toast notification and enabling the encryption would require user interaction to go through the BitLocker activation guide.
![](./images/4509187_en_1.png)
If your device does not supports modern Standby but is HSTI compliant, for pre Windows v 1803, an endpoint protection policy with the above settings will deliver the policy to the device but user will need to manually enable Bitlocker encryption by clicking on the toast notification as received and going through the Bitlocker activation guide.
For Autopilot devices, from 1803 and above, automatic device encryption is supported for standard users vide the settings made available in UI with 1901 Intune release as below. System requirement still remains same as above (HSTI compliant and support for modern Standby)
![](./images/4509188_en_1.png)
The OMA-URI reference for the above settings:
- OMA-URI: ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
Value Type: Integer
Value: 1
> [!NOTE]
> This node works in tandem with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** node. As such when you have **RequireDeviceEncryption** set to **1**, **AllowStandardUserEncryption** set to **1** and **AllowWarningForOtherDiskEncryption** set to **0**, this allows silent Bitlocker encryption for Autopilot devices with standard user profiles.
With update to the Bitlocker Policy CSP, starting with Windows version 1809 and above, the endpoint protection policy can enable silent Bitlocker encryption on the end device even if the device is non-HSTI compliant.
[Back to list](#list)
## <a id="issue-1"></a>Event ID 853: TPM not available
![](./images/4509190_en_1.png)

15
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -1,7 +1,7 @@
---
title: BitLocker Network Unlock known issues
description:
ms.reviewer:
ms.reviewer: kaushika
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
@ -11,15 +11,20 @@ manager: kaushika
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 9/19/2019
ms.date: 9/25/2019
---
# BitLocker Network Unlock--known issues
Use BitLocker without entering a PIN at startup
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN for each computer when it starts up. Your environment must have the following configuration:
The most recommended way would be to use the “Network Unlock” feature using which the device could be unlocked remotely without user intervention.
- The computers must belong to a domain
- The computers must have a wired connection to the corporate network
- The corporate network must use DHCP to manage IP addresses
- Each computer must have a DHCP drive rimplemented in its UEFI firmware
For general guidelines about how to troubleshoot Network Unlock, see [Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
This article describes several known issues that you may encounter while using Network Unlock:
<a id="list"></a>

55
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -1,7 +1,7 @@
---
title: BitLocker recovery known issues
description:
ms.reviewer:
ms.reviewer: kaushika
ms.prod: w10
ms.sitesec: library
ms.localizationpriority: medium
@ -11,25 +11,24 @@ manager: kaushika
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 9/19/2019
ms.date: 9/25/2019
---
# BitLocker recovery--known issues
# BitLocker recovery&mdash;known issues
The following list describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The list provides links to guidance for addressing the issues.
<a id="list"></a>
- [Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key](#scenario-1)
- [](#scenario-2)
- ["Manage-bde -forcerecovery" command is unsupported for testing recovery mode on tablet devices](#scenario-3)
- [Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device](#scenario-4)
- [Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000](#scenario-5)
- [Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000](#scenario-6)
- [Intune: Troubleshooting BitLocker enforcement](#scenario-7)
- [The recovery key for a laptop was not backed up, and the laptop is locked](#scenario-2)
- [Tablet devices do not support **Manage-bde -forcerecovery** to test recovery mode](#scenario-3)
- [Surface: After you install updates to Surface UEFI or TPM firmware, BitLocker prompts for the recovery key](#scenario-4)
- [Hyper-V: After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery key and gives error 0xC0210000](#scenario-5)
- [Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000](#scenario-6)
## <a id="scenario-1"></a>Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key
### Symptom
Windows 10 prompts you for a BitLocker recovery key. However, you have not configured a BitLocker recovery key.
### Resolution
@ -41,7 +40,7 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses two sit
[Back to list](#list)
## <a id="scenario-2"></a>Scenario 2
## <a id="scenario-2"></a>The recovery key for a laptop was not backed up, and the laptop is locked
We have a Windows 10 Home laptop which is being used by one onsite engineers. He is in California and spilled Coffee in his laptop on Wednesday. The laptop will not work but the hard drive is good. When we hook it up to a docking station, it asks us for a bit locker encryption key to access the drive. Whomever used the laptop before must have turned on bit locker. We have no way of knowing the bit locker password. We need the data in My Documents. It is a SSD drive and is in good condition.
@ -49,12 +48,10 @@ The BitLocker Windows Management Instrumentation (WMI) interface does allow admi
[Back to list](#list)
## <a id="scenario-3"></a>"Manage-bde -forcerecovery" command is unsupported for testing recovery mode on tablet devices
## <a id="scenario-3"></a>Tablet devices do not support Manage-bde -forcerecovery to test recovery mode
Reference: <https://internal.support.services.microsoft.com/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m>
### Symptoms
Assume that you have a tablet or slate device, and you're trying to test the recovery method by running the following command:
```cmd
@ -92,12 +89,10 @@ To resolve this issue, follow these steps:
[Back to list](#list)
## <a id="scenario-4"></a>Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device
## <a id="scenario-4"></a>Surface: After you install updates to Surface UEFI or TPM firmware, BitLocker prompts for the recovery key
Reference: <https://internal.support.services.microsoft.com/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update>
### Symptoms
You encounter one or more of the following symptoms on your Surface device:
- At startup, you are prompted for your BitLocker recovery key, and you enter the correct recovery key, but Windows doesnt start up.
@ -220,12 +215,10 @@ To reset your device by using a Surface recovery image: Follow the instructions
[Back to list](#list)
## <a id="scenario-5"></a>Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000
## <a id="scenario-5"></a>Hyper-V: After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery key and gives error 0xC0210000
Reference: <https://internal.support.services.microsoft.com/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi>
### Symptoms
After installing an affected update and restarting, some devices running Windows 10, Version 1703, Windows 10, version 1607 or Windows Server 2016 with Hyper-V enabled may enter BitLocker recovery mode and receive an error, "0xC0210000".
### Workaround
@ -260,7 +253,6 @@ To prevent this issue, execute the following command to temporarily suspend BitL
> [!NOTE]
> This command will suspend BitLocker for one restart of the device (`-rc 1` option only works inside OS and does not work from recovery environment).
{check update KBs--WA no longer needed with updates?}
This issue is now resolved for all platforms in the following updates:
@ -269,3 +261,22 @@ This issue is now resolved for all platforms in the following updates:
[Back to list](#list)
## <a id="scenario-6"></a> Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000
Windows 10 1809 with Virtualization Based Security enabled (Credential Guard/Device Guard) on TPM 1.2 causing bitlocker recovery on every reboot with : "error code 0xc0210000"
![Recovery Your PC/Device needs to be repaired A be 't ve•d 10 use media a ](./media/4496645_en_1.png)
### Cause
TPM 1.2 is not supported for use with “SecureLaunch” and this is well documented under minimum requirements for Secure Launch on the below URL.
[System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines)
### Resolution
Once you will disable the secure Launch in policy on devices with TPM 1.2, it will fix the issue.
![](./images/4496674_en_1.png)
[Back to list](#list)

97
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -20,13 +20,11 @@ ms.date: 9/19/2019
<a id="list"></a>
- [](#scenario-1)
- [](#scenario-2)
- [Azure AD: Windows Hello for Business and single sign-on do not work](#scenario-1)
- [Loading the management console failed. The device that is required by the cryptographic provider is not ready for use](#scenario-2)
- [Azure AD-joined devices fail because of a TPM issue](#scenario-3)
## Scenario 1
### Symptom: The TPM is defending against dictionary attacks and is in a time-out period (specific to AAD)
## <a id="scenario-1"></a>Azure AD: Windows Hello for Business and single sign-on do not work
Not able to acquire a PRT can lead to various issues
@ -77,33 +75,9 @@ To clear / reset the TPM:
You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
[Back to list](#list)
### EST/WIN8.1/ Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
### Cause
TPM Lockout
### Resolution
open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure BitLocker (we use some scripts, but the GUI is also ok J)
### PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period
[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/help/4327939)
This Surface Pro 3 was shipped with Windows 10 and reimaged with Windows 8.1. BitLocker can not be enabled.
The TPM on this computer is currently locked out.
Classification Path: Routing Surface Pro\Software Issues (Windows 8.1)\BitLocker or device encryption
### Resolution
When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we received the error "The TPM is defending against dictionary attacks and is in a time-out period." We rebooted into BIOS, disabled TPM and when we booted into OS, the tpm.msc showed “Compatible Trusted Platform Module (TPM) cannot be found on this computer. verify that this computer has 1.2 TPM and its is turned on in the BIOS “ We then booted into BIOS, enabled the TPM and then we found that it required us to clear the existing TPM keys and rebooted. Now, we were able to successfully prepare the TPM and the TPM state was “ready for use”. Now, we started the encryption on OS drive with TPM protector and the encryption was successful.
## Scenario 2: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
## <a id="scenario-2"></a>Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
Reference: [https://internal.support.services.microsoft.com/help/4313961](https://internal.support.services.microsoft.com/help/4313961)
@ -119,9 +93,7 @@ Hardware/firmware issues within TPM.
Recommended action plan: After consulting with the TPM feature team, We advised you to test this out on a different device of the same model. Apart from that we also suggested you to switch the TPM operation mode to Spec v1.2 to v2.0 and check if the issue continues to occur.Current status: As of now, you have reached out to {Namepii} to get the mainboard on the device replaced by 18th August. Post that you will be changing the operation mode of TPM to 2.0 to see if that resolves the problem. Since we dont have any active troubleshooting plan we are closing this case temporarily for now and we will re-engage on 10 AM EST 26th Sept. to discuss this issue further. I will be sending you a meeting invite for the same.
## Scenario 3: Troubleshooting hybrid Azure Active Directory joined devices failure due to TPM
## <a id="scenario-3"></a>Azure AD-joined devices fail because of a TPM issue
Reference: [https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
@ -166,57 +138,4 @@ Reference: [https://internal.support.services.microsoft.com/help/4467030](https:
- **Resolution:** Transient error. Wait for the cooldown period. Join attempt after some time should succeed. More Information can be found in the article [TPM fundamentals](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
## Scenario 4: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
### Symptom:
Unable to backup TPM Information to ADDS.
### Cause
Insufficient permissions for SELF on TPM Devices Container.
### Resolution
1. Problem - LDAP trace between client and DC to find cause of ACCESS DENIED error 0x80070005 - 12/20/2016 12:52 AM
Errors seen in the LDAP traces : ldap\_modify call for CN=TestOU,CN=TPM Devices,DC=XYZ,DC=com which is failing with Insufficient Rights.
1. Run following command to identify the TPM Attributes :
Get-ADComputer -Filter {Name -like "TPMTest"} -Property 1. | Format-Table name,msTPM-TPMInformationForComputer TPMTest Is the name of my test computer which has the attribute filled.
1. Provided proper permissions of SELF:
Reference: [https://internal.support.services.microsoft.com/help/4337282](https://internal.support.services.microsoft.com/help/4337282)
## Scenario 5: 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
Reference: [https://internal.support.services.microsoft.com/help/4319021](https://internal.support.services.microsoft.com/help/4319021)
Support Topic: Routing Windows V3\Group Policy\Managing BitLocker configuration through Group Policy
### Symptom:
We have already run the adprep as mention when we did a upgrade to our domain a while ago.
We have GPO setup for storing the keys and tpm info as well.
Prepare the TPM gives error:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
### Cause
Add-TPMSelfWriteACE.vbs {available?}
### Resolution
DC: Windows Server 2012 r2. The attributes include ms-TPM-OwnerInformation and msTPM-TpmInformationForComputer are present.
We noticed that he had not added the self-write permissions for the computer objects. So, we downloaded the script Add-TPMSelfWriteACE.vbs and modified the value of strPathToDomain to your domain.Post modification, ran Add-TPMSelfWriteACE.vbs and it ran successfully.We then discovered that the domain and forest functional level are still at 2008 R2 and we wanted to update them first Post updating the domain and forest functional level and setting the required permissions , he confirmed that he was able to successfully back up the TPM information to Active Directory without error : “0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled”.
- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
[Back to list](#list)