From a7003de5279a780bd392b6a79c351ebecdc4fcbd Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 13:00:05 +0530 Subject: [PATCH 01/30] Update-bl-rcvy-lpbrk-4457208 --- .../bitlocker/bitlocker-recovery-loop-break.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index f06b11a197..6d996b7090 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -24,7 +24,7 @@ Sometimes, following a crash, you might be unable to successfully boot into your If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. > [!NOTE] -> Only try these steps after you have restarted your device at least once. +> Try these steps only after you have restarted your device at least once. 1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. From 654145f5313c9e4549c1809af8b61ab2f6eaeb33 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 16:17:49 +0530 Subject: [PATCH 02/30] Update bl-rcvpwdvw-4457208 --- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 1bc4358ba0..1ac97c6ce1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. +This topic describes how to use the BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). @@ -33,7 +33,7 @@ To complete the procedures in this scenario: - You must have domain administrator credentials. - Your test computers must be joined to the domain. -- On the test computers, BitLocker must have been turned on after joining the domain. +- On the domain-joined test computers, BitLocker must have been turned on. The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. From f0d0dd71a9b87b60afad96a4051dee187a34657f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 11:31:06 +0530 Subject: [PATCH 03/30] Update ts-bitlocker-cannot-encrypt-tpm-issues.md --- .../ts-bitlocker-cannot-encrypt-tpm-issues.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index c112d898f7..93e95c46e6 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -19,14 +19,14 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known TPM issues -This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that affect the trusted platform module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). ## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period" -When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -42,12 +42,12 @@ To resolve this issue, follow these steps: $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` -1. Restart the computer. If you are prompted at the restart screen, press F12 to agree. -1. Try again to start BitLocker Drive Encryption. +2. Restart the computer. If you are prompted at the restart screen, press F12 to agree. +3. Retry starting BitLocker drive encryption. ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -58,11 +58,11 @@ The TPM is locked out. To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: 1. Restart the device, and change the BIOS configuration to disable the TPM. -1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: +2. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. -1. Restart the device, and change the BIOS configuration to enable the TPM. -1. Restart the device, and return to the TPM management console. +3. Restart the device, and change the BIOS configuration to enable the TPM. +4. Restart the device, and return to the TPM management console. If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm). @@ -71,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 -You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." +You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." ### Cause -The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run. +The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run. This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. @@ -83,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that To verify that you have correctly identified this issue, use one of the following methods: -- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed. +- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed. - Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container. 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: @@ -98,9 +98,9 @@ To verify that you have correctly identified this issue, use one of the followin ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" -Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. +Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: > 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled From 9864d7efd7360f9182243bceac6b7be674d24c67 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 12:25:44 +0530 Subject: [PATCH 04/30] Update ts-bitlocker-config-issues.md --- .../bitlocker/ts-bitlocker-config-issues.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index e3c4f3f6d4..af153f4d11 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -18,13 +18,13 @@ ms.custom: bitlocker # BitLocker configuration: known issues -This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues. +This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues. ## BitLocker encryption is slower in Windows 10 -In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance. +In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance of BitLocker affecting the computer's performance. -To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*. +To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*. > [!IMPORTANT] > To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives. @@ -41,7 +41,7 @@ After Windows 7 was released, several other areas of BitLocker were improved: - **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text. - By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software. + By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software. - **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces: - BitLocker Wizard @@ -57,7 +57,7 @@ After Windows 7 was released, several other areas of BitLocker were improved: - **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart. -- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. +- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. - **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology. @@ -90,12 +90,12 @@ This issue occurs regardless of any of the following variations in the environme - Whether the VMs are generation 1 or generation 2. - Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2. -In the domain controller Application log, the VSS event source records event ID 8229: +In the domain controller application log, the VSS event source records event ID 8229: > ID: 8229 > Level: Warning > ‎Source: VSS -> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. +> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. > > Changes that the writer made to the writer components while handling the event will not be available to the requester. > From 30c0c15ff56689ca8ebf030116472141ba4d5c69 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 12:58:01 +0530 Subject: [PATCH 05/30] Update ts-bitlocker-decode-measured-boot-logs.md --- .../ts-bitlocker-decode-measured-boot-logs.md | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 3e2cdad741..61a705e835 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -16,25 +16,25 @@ ms.date: 10/17/2019 ms.custom: bitlocker --- -# Decode Measured Boot logs to track PCR changes +# Decode measured boot logs to track PCR changes -Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode. +Platform configuration registers (PCRs) are memory locations in the trusted platform module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific changes in PCRs can cause a device or computer to enter BitLocker recovery mode. -By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. +By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or can learn why a device or computer entered BitLocker recovery mode. The measured boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. -For more information about Measured Boot and PCRs, see the following articles: +For more information about measured boot and PCRs, see the following articles: - [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) - [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices) -## Use TBSLogGenerator to decode Measured Boot logs +## Use TBSLogGenerator to decode measured boot logs -Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: +Use TBSLogGenerator to decode measured boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: - A computer that is running Windows Server 2016 and that has a TPM enabled -- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) +- A gen-2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) To install the tool, follow these steps: @@ -43,15 +43,15 @@ To install the tool, follow these steps: - [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/) - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112) -1. Accept the default installation path. +2. Accept the default installation path. ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) -1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. +3. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) -1. Finish the installation. +4. Finish the installation. To use TBSLogGenerator, follow these steps: @@ -67,12 +67,12 @@ To use TBSLogGenerator, follow these steps: TBSLogGenerator.exe -LF \.log > \.txt ``` where the variables represent the following values: - - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - - \<*LogFileName*> = the name of the file to be decoded - - \<*DestinationFolderName*> = the name of the folder for the decoded text file - - \<*DecodedFileName*> = the name of the decoded text file + - \<*LogFolderName*> = The name of the folder that contains the file to be decoded + - \<*LogFileName*> = The name of the file to be decoded + - \<*DestinationFolderName*> = The name of the folder for the decoded text file + - \<*DecodedFileName*> = The name of the decoded text file - For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: + For example, the following figure shows measured boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: ```cmd TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt @@ -92,9 +92,9 @@ To find the PCR information, go to the end of the file. ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) -## Use PCPTool to decode Measured Boot logs +## Use PCPTool to decode measured boot logs -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. +PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a measured boot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. @@ -104,10 +104,10 @@ PCPTool.exe decodelog \.log > = the path to the folder that contains the file to be decoded -- \<*LogFileName*> = the name of the file to be decoded -- \<*DestinationFolderName*> = the name of the folder for the decoded text file -- \<*DecodedFileName*> = the name of the decoded text file +- \<*LogFolderPath*> = The path to the folder that contains the file to be decoded +- \<*LogFileName*> = The name of the file to be decoded +- \<*DestinationFolderName*> = The name of the folder for the decoded text file +- \<*DecodedFileName*> = The name of the decoded text file The content of the XML file resembles the following. From 78f2669a0ea26c1355f904132484eff0d749a44a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 16:00:21 +0530 Subject: [PATCH 06/30] Update ts-bitlocker-intune-issues.md --- .../bitlocker/ts-bitlocker-intune-issues.md | 89 ++++++++++--------- 1 file changed, 45 insertions(+), 44 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 895c4eec13..8c24276e8f 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -37,7 +37,7 @@ If you do not have a clear trail of events or error messages to follow, other ar - [Review the hardware requirements for using Intune to manage BitLocker on devices](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements) - [Review your BitLocker policy configuration](#policy) -For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). +For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). ## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer @@ -47,7 +47,7 @@ Event ID 853 can carry different error messages, depending on the context. In th ### Cause -The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM. +The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. ### Resolution @@ -68,9 +68,9 @@ In this case, you see event ID 853, and the error message in the event indicates ### Cause -During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. +During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. -To avoid this situation, the provisioning process stops if it detects removable bootable media. +To avoid this situation, the provisioning process stops if it detects a removable bootable media. ### Resolution @@ -88,7 +88,7 @@ The event information resembles the following: Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE. -The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. +The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. If WinRE is not available on the device, provisioning stops. @@ -98,11 +98,11 @@ You can resolve this issue by verifying the configuration of the disk partitions #### Step 1: Verify the configuration of the disk partitions -The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. +The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following: ![Default disk partitions, including the recovery partition](./images/4509194-en-1.png) -To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: +To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands: ``` diskpart @@ -110,7 +110,7 @@ list volume ``` ![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). +If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager): ![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) @@ -121,7 +121,7 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win ```cmd reagentc /info ``` -The output of this command resembles the following. +The output of this command resembles the following: ![Output of the reagentc /info command](./images/4509193-en-1.png) @@ -133,13 +133,13 @@ reagentc /enable #### Step 3: Verify the Windows Boot Loader configuration -If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: +If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: ```cmd bcdedit /enum all ``` -The output of this command resembles the following. +The output of this command resembles the following: ![Output of the bcdedit /enum all command](./images/4509196-en-1.png) @@ -155,18 +155,18 @@ The event information resembles the following: ### Cause -The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS. +The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS. ### Resolution -To verify the BIOS mode, use the System Information app. To do this, follow these steps: +To verify the BIOS mode, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. +2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png) -1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. +3. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] - > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. + > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device. ## Error message: The UEFI variable 'SecureBoot' could not be read @@ -176,11 +176,11 @@ You receive an error message that resembles the following: ### Cause -A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on. +A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on. ### Resolution -You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps: +You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps: #### Step 1: Verify the PCR validation profile of the TPM @@ -190,40 +190,41 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t Manage-bde -protectors -get %systemdrive% ``` -In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. +In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows: ![Output of the manage-bde command](./images/4509199-en-1.png) -If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. +If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on. ![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png) -#### 2. Verify the Secure Boot state +#### 2. Verify the secure boot state -To verify the Secure Boot state, use the System Information app. To do this, follow these steps: +To verify the secure boot state, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **Secure Boot State** setting is **On**, as follows: +2. Verify that the **Secure Boot State** setting is **On**, as follows: ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png) -1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. +> [!NOTE] +> If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker encryption on this device. ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) > [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` -> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." +> If the computer supports secure boot and secure boot is enabled, this cmdlet returns "True." > -> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." +> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False." > > If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform." ## Event ID 846, 778, and 851: Error 0x80072f9a -In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. +In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809, device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. -The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): +The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): > Event ID:846 > @@ -250,13 +251,13 @@ These events refer to Error code 0x80072f9a. These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails. -The issue affects Windows 10 version 1809. +The issue affects Windows 10, version 1809. ### Resolution To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update. -## Error message: There are conflicting Group Policy settings for recovery options on operating system drives +## Error message: There are conflicting group policy settings for recovery options on operating system drives You receive a message that resembles the following: @@ -264,13 +265,13 @@ You receive a message that resembles the following: ### Resolution -To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). +To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN). ## Review your BitLocker policy configuration -For information about how to use policy together with BitLocker and Intune, see the following resources: +For information about the procedure to use policy together with BitLocker and Intune, see the following resources: - [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-devices-joined-to-azure-active-directory) - [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN) @@ -282,13 +283,13 @@ For information about how to use policy together with BitLocker and Intune, see Intune offers the following enforcement types for BitLocker: -- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.) -- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.) -- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.) +- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10, version 1703, and later versions.) +- **Silent** (Endpoint protection policy. This option is available in Windows 10, version 1803, and later versions.) +- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10, version 1803.) -If your device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. +If your device runs Windows 10, version 1703, or later versions; supports Modern Standby (also known as Instant Go); and is HSTI-compliant, joining the device to Azure AD triggers an automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. -If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: +If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following: ![Intune policy settings](./images/4509186-en-1.png) @@ -303,18 +304,18 @@ The OMA-URI references for these settings are as follows: Value: **0** (0 = Blocked, 1 = Allowed) > [!NOTE] -> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. +> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10, version 1809, or later versions, you can use an endpoint protection policy to enforce silent BitLocker device encryption even if the device is not HSTI-compliant. > [!NOTE] -> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard. +> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard. -If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard. +If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker drive encryption. To do this, the user selects the notification. This action launches the BitLocker drive encryption wizard. The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements: - Be HSTI-compliant - Support Modern Standby -- Use Windows 10 version 1803 or later +- Use Windows 10, version 1803, or later versions ![Intune policy setting](./images/4509188-en-1.png) @@ -325,11 +326,11 @@ The OMA-URI references for these settings are as follows: Value: **1** > [!NOTE] -> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles. +> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. ## Verifying that BitLocker is operating correctly -During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. +During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845. ![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png) From fdbc304e6491fd28919ebcdbf618523fb382bcdb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 17:16:50 +0530 Subject: [PATCH 07/30] Update ts-bitlocker-network-unlock-issues.md --- .../ts-bitlocker-network-unlock-issues.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index b5882849d0..1751050bc3 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -18,20 +18,20 @@ ms.custom: bitlocker # BitLocker Network Unlock: known issues -By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements: +By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, you have to configure your environment to meet the following requirements: - Each computer belongs to a domain - Each computer has a wired connection to the corporate network - The corporate network uses DHCP to manage IP addresses - Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware -For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). +For general guidelines about the procedure to troubleshoot network unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). -This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues. +This article describes several known issues that you may encounter when you use network unlock feature, and provides guidance to address these issues. -## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer +## Tip: Detect whether BitLocker network unlock is enabled on a specific computer -You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands. +You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands: 1. Open an elevated Command Prompt window and run the following command: @@ -40,15 +40,15 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy ``` where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock. + If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. 1. Start Registry Editor, and verify the following settings: - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1** - - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1. + - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. -## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured +## On a Surface Pro 4 device, BitLocker network unlock does not work because the UEFI network stack is incorrectly configured -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. @@ -61,28 +61,28 @@ The UEFI network stack on the device was incorrectly configured. To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm). > [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option. +> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. -## Unable to use BitLocker Network Unlock feature on a Windows client computer +## Unable to use BitLocker network unlock feature on a Windows client computer -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. ### Cause -A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. +A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP or WDS server. DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: -- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. +- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. These messages use the Message Type option; therefore, the DHCP server treats them as DHCP messages. +- The third message that the BitLocker network unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message. If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. -For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) +For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) ### Resolution From 15fafb67b421cad79c666afbfba2f0f8876c6484 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 18:46:24 +0530 Subject: [PATCH 08/30] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 112 +++++++++--------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index b9d677c092..cc10bde567 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -18,7 +18,7 @@ ms.custom: bitlocker # BitLocker recovery: known issues -This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues. +This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. > [!NOTE] > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors). @@ -29,14 +29,14 @@ Windows 10 prompts you for a BitLocker recovery password. However, you did not c ### Resolution -The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue: +The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue: - [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) - [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup) ## The recovery password for a laptop was not backed up, and the laptop is locked -You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. +You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker driver encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. ### Resolution @@ -57,7 +57,7 @@ You can use either of the following methods to manually back up or synchronize a ## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode -You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: +You have a tablet or slate device, and you try to test BitLocker recovery by running the following command: ```cmd Manage-bde -forcerecovery @@ -70,7 +70,7 @@ However, after you enter the recovery password, the device cannot start. > [!IMPORTANT] > Tablet devices do not support the **manage-bde -forcerecovery** command. -This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input. +This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. @@ -80,20 +80,20 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: -1. On the BitLocker Recovery screen, select **Skip this drive**. -1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : +1. On the **BitLocker Recovery** screen, select **Skip this drive**. +2. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. +3. In the Command Prompt window, run the following commands : ```cmd manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: ``` -1. Close the Command Prompt window. -1. Shut down the device. -1. Start the device. Windows should start as usual. +4. Close the Command Prompt window. +5. Shut down the device. +6. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password -You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. +You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. You experience one or more of the following symptoms on the Surface device: @@ -105,14 +105,14 @@ You experience one or more of the following symptoms on the Surface device: This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way: -- Secure Boot is turned off. -- PCR values have been explicitly defined, such as by Group Policy. +- Secure boot is turned off. +- PCR values have been explicitly defined, such as by group policy. -Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). +Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and secure boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). ### Resolution -To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: +To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command: ```cmd manage-bde.exe -protectors -get : @@ -129,25 +129,25 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. -1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. -1. Insert the USB Surface recovery image drive into the Surface device, and start the device. -1. When you are prompted, select the following items: +2. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. +3. Insert the USB Surface recovery image drive into the Surface device, and start the device. +4. When you are prompted, select the following items: 1. Your operating system language. - 1. Your keyboard layout. -1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: + 2. Your keyboard layout. +5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. +6. In the Command Prompt window, run the following commands: ```cmd manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : ``` In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. > [!NOTE] - > For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock). -1. Restart the computer. -1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. + > For more information about the procedure to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock). +7. Restart the computer. +8. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] -> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. #### Step 2: Use Surface BMR to recover data and reset your device @@ -158,41 +158,41 @@ To recover data from your Surface device if you cannot start Windows, follow ste manage-bde -unlock -recoverypassword : ``` In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. -1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. +2. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. > [!NOTE] - > For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands). + > For more information about these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands). 1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512). #### Step 3: Restore the default PCR values -To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values. +To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values. -To enable Secure Boot on a Surface device, follow these steps: +To enable secure boot on a Surface device, follow these steps: -1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: +1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` In this command, <*DriveLetter*> is the letter that is assigned to your drive. -1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. -1. Restart the device. -1. Open an elevated PowerShell window, and run the following cmdlet: +2. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. +3. Restart the device. +1. Open an elevated PowerShell window and run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: -1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. +1. Disable any group policy objects (GPOs) that configure the PCR settings, or remove the device from any groups that enforce such policies. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings). -1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: +2. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. -1. Run the following cmdlet: +3. Run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" @@ -201,38 +201,38 @@ To reset the PCR settings on the TPM, follow these steps: You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. > [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: -> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes. -> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. +> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: +> - **2** or greater: This value sets the number of times the device can restart before BitLocker device encryption resumes. +> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. To suspend BitLocker while you install TPM or UEFI firmware updates: -1. Open an elevated Windows PowerShell window, and run the following cmdlet: +1. Open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. -1. Install the Surface device driver and firmware updates. -1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: + In this cmdlet, <*DriveLetter*> is the letter that is assigned to your drive. +2. Install the Surface device driver and firmware updates. +3. After you install the firmware updates, restart the computer, open an elevated PowerShell window and then run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" ``` -To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. ## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000 -You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000. +You have a device that runs Windows 10, version 1703; Windows 10, version 1607; or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker recovery mode and you see error code 0xC0210000. ### Workaround If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: -1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. -1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. -1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. -1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: +1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker drive encryption was first turned on. +2. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. +3. If your device starts in WinRE and prompts you for the recovery password again, select **Skip the drive**. +4. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. +5. In the Command Prompt window, run the following commands: ```cmd Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: @@ -243,7 +243,7 @@ If your device is already in this state, you can successfully start Windows afte > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. 1. Select **Continue**. Windows should start. -1. After Windows has started, open an elevated Command Prompt window and run the following command: +2. After Windows has started, open an elevated Command Prompt window and run the following command: ```cmd Manage-bde -protectors -enable c: ``` @@ -262,11 +262,11 @@ Manage-bde -protectors -disable c: -rc 1 To resolve this issue, install the appropriate update on the affected device: - For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450) -- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460) +- For Windows 10, version 1607, and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460) ## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 -You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following. +You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time you start the device, the device enters BitLocker recovery mode and you see error code 0xc0210000, and a message that resembles the following: > Recovery > @@ -279,7 +279,7 @@ You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the ### Cause -TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines) +TPM 1.2 does not support secure launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines) For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) @@ -287,5 +287,5 @@ For more information about this technology, see [Windows Defender System Guard: To resolve this issue, do one of the following: -- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch. +- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch. - Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. From f0d80c4d7242d052745545b9bf403136eadb9f53 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 28 Sep 2020 12:08:30 +0530 Subject: [PATCH 09/30] Reviewed_bitlocker-use-bitlocker-recovery-password-viewer.md Made a minor change, hence committing directly back to the same branch. --- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 1ac97c6ce1..0ef2f9bfe1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes how to use the BitLocker Recovery Password Viewer. -The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). +The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory. You can also search for a password by password identifier (ID). ## Before you start From fce80b34486031ad2f77a7e0b7b8260197fba65d Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 28 Sep 2020 15:12:35 +0530 Subject: [PATCH 10/30] Reviewed-PR3755 (#3873) Made a few changes. --- .../bitlocker/bitlocker-recovery-loop-break.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 6d996b7090..862c89585a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -26,16 +26,12 @@ If you've entered the correct Bitlocker recovery key multiple times, and are sti > [!NOTE] > Try these steps only after you have restarted your device at least once. -1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. +1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**. -1. On the next screen, select **Troubleshoot**. +2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. -1. On the Troubleshoot screen, select **Advanced options**. +3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` -1. On the Advanced options screen, select **Command prompt**. +4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` -1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` - -1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` - -1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system +5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system. From a8236c15b87cfb90d9229f9375d90316eba7c272 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 15 Oct 2020 12:16:55 +0530 Subject: [PATCH 11/30] Update ts-bitlocker-intune-issues.md --- .../bitlocker/ts-bitlocker-intune-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 8c24276e8f..2f62005f82 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -210,7 +210,7 @@ To verify the secure boot state, use the System Information application. To do t ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) > [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: +> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps&preserve-view=true) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` From 7ed055f997bcb462e7ac621641c8b2353d31c040 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 15 Oct 2020 12:29:18 +0530 Subject: [PATCH 12/30] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index cc10bde567..37adca3971 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -201,9 +201,9 @@ To reset the PCR settings on the TPM, follow these steps: You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. > [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: +> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values: > - **2** or greater: This value sets the number of times the device can restart before BitLocker device encryption resumes. -> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. +> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection. To suspend BitLocker while you install TPM or UEFI firmware updates: From 8ea73725e7a950a549d4fa92116812114e84dc2d Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 16 Oct 2020 14:50:58 +0530 Subject: [PATCH 13/30] Reviewed ts-bitlocker-decode-measured-boot-logs.md --- .../ts-bitlocker-decode-measured-boot-logs.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 61a705e835..a0f7da5771 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -24,12 +24,12 @@ By tracking changes in the PCRs, and identifying when they changed, you can gain This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. -For more information about measured boot and PCRs, see the following articles: +For more information about MeasuredBoot and PCRs, see the following articles: -- [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) +- [TPM fundamentals: MeasuredBoot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) - [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices) -## Use TBSLogGenerator to decode measured boot logs +## Use TBSLogGenerator to decode MeasureBoot logs Use TBSLogGenerator to decode measured boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: @@ -72,7 +72,7 @@ To use TBSLogGenerator, follow these steps: - \<*DestinationFolderName*> = The name of the folder for the decoded text file - \<*DecodedFileName*> = The name of the decoded text file - For example, the following figure shows measured boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: + For example, the following figure shows MeasuredBoot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: ```cmd TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt @@ -92,9 +92,9 @@ To find the PCR information, go to the end of the file. ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) -## Use PCPTool to decode measured boot logs +## Use PCPTool to decode MeasuredBoot logs -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a measured boot log file and converts it into an XML file. +PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a MeasuredBoot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. From 98936b6e624f620127515aadb9c8ca2f267a6c33 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 16 Oct 2020 18:13:52 +0530 Subject: [PATCH 14/30] Reviewed ts-bitlocker-cannot-encrypt-tpm-issues.md (#3998) Made minor changes --- .../ts-bitlocker-cannot-encrypt-tpm-issues.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index 93e95c46e6..2c7e7eecb9 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -19,7 +19,7 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known TPM issues -This article describes common issues that affect the trusted platform module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). @@ -41,8 +41,7 @@ To resolve this issue, follow these steps: ```ps $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` - -2. Restart the computer. If you are prompted at the restart screen, press F12 to agree. +2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8 3. Retry starting BitLocker drive encryption. ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" @@ -58,7 +57,7 @@ The TPM is locked out. To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: 1. Restart the device, and change the BIOS configuration to disable the TPM. -2. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: +2. Restart the device again, and return to the TPM management console. Following message is displayed: > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. 3. Restart the device, and change the BIOS configuration to enable the TPM. @@ -94,7 +93,7 @@ To verify that you have correctly identified this issue, use one of the followin In this command, *ComputerName* is the name of the affected computer. -1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. +1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" @@ -108,16 +107,16 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati ### Cause -The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set. +The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set. ### Resolution To resolve this issue, follow these steps: 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2. -1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). -1. In the script, modify the value of **strPathToDomain** to your domain name. -1. Open an elevated PowerShell window, and run the following command: +2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133). +3. In the script, modify the value of **strPathToDomain** to your domain name. +4. Open an elevated PowerShell window, and run the following command: ```ps cscript Add-TPMSelfWriteACE.vbs From 9b61c2e883b2c8840e6a9a8c36630602e14629e9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 18 Nov 2020 07:41:09 -0800 Subject: [PATCH 15/30] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index 37adca3971..f7f20840c5 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -36,7 +36,7 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ address situation ## The recovery password for a laptop was not backed up, and the laptop is locked -You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker driver encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. +You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker drive encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. ### Resolution From 696e55d78b343158e8af3c9181be5b8d5873eeb2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:23:14 +0530 Subject: [PATCH 16/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index f62bc8b545..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From ae5936aa3076b87b3e6bf9fe1a91de5cd6d92aaa Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:38:52 +0530 Subject: [PATCH 17/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From de7b847792b57aaa51278e47f26143199fc0cf2d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:43:43 +0530 Subject: [PATCH 18/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From a6732e6caec9fc6611eb25aa9a878bc6dbf1d97d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:49:02 +0530 Subject: [PATCH 19/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index f62bc8b545..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From 0ff921bb2c9e3ae38ad6c98a72b2b1bb95dbfd2e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:55:11 +0530 Subject: [PATCH 20/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index f62bc8b545..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From 14c59a88b18c920b0f52c972a2f0ff172c4c5329 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 11:03:32 +0530 Subject: [PATCH 21/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From e7d192319b2ec964e46d279bc0e474908ee120b9 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:04:54 +0530 Subject: [PATCH 22/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From 11ffe284b0d74316c9fd3d4d06fea5fa5c421496 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:18:26 +0530 Subject: [PATCH 23/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From d1e654ca1ef8fae87a0b5e1ebac7ac9d3787c294 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 10:00:54 +0530 Subject: [PATCH 24/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index fcf11cf7d8..89d05f6ae6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -28,9 +28,9 @@ This topic for the IT professional explains how BitLocker features can be used t ## Using BitLocker to encrypt volumes -BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. +BitLocker provides full volume encryption (FVE) for operating system volumes, and for fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. -In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. @@ -54,8 +54,10 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |Requirement|Description| |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| -|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the following: +- the extra security needed for verifying the integrity of a system before it is booted +- multifactor authentication| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| @@ -63,7 +65,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. +You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make more copies. When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options: @@ -79,7 +81,7 @@ Selecting an encryption type and choosing **Next** will give the user the option After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. -Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off. +Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. ### Data volume From 0ed72a76a0e48087f6c32ea1eb60feafd9fcfded Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:33:28 +0530 Subject: [PATCH 25/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index cebb9f44ed..78430f4b86 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,9 +55,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide the following: -- the extra security needed for verifying the integrity of a system before it is booted -- multifactor authentication| +|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide the extra security in the form of

  • verifying the integrity of a system before it is booted
  • multifactor authentication
    • | |BIOS configuration|
  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| From 2fa61a8e6563897667f2a1a68c3115d1204c7b5a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:35:24 +0530 Subject: [PATCH 26/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 78430f4b86..493d06a06c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,7 +55,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide the extra security in the form of

  • verifying the integrity of a system before it is booted
  • multifactor authentication
    • | +|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide the extra security in the form of:

  • verifying the integrity of a system before it is booted
  • multifactor authentication
    • | |BIOS configuration|
  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| From 4edd51fd12fd56be688f4f9eb47d7541ca224e7f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:51:07 +0530 Subject: [PATCH 27/30] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index fcf11cf7d8..afa9fc6c53 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -28,9 +28,9 @@ This topic for the IT professional explains how BitLocker features can be used t ## Using BitLocker to encrypt volumes -BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. +BitLocker provides full volume encryption (FVE) for operating system volumes, and for fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. -In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. @@ -54,8 +54,8 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |Requirement|Description| |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| -|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| +|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide extra security in the form of:

  • pre-startup system integrity verification
  • multifactor authentication
    • | |BIOS configuration|
  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| @@ -63,7 +63,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. +You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make more copies. When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options: From aafc2f81c3a02c4997dd94fe986ed66ae3d651de Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:58:49 +0530 Subject: [PATCH 28/30] Update bitlocker-recovery-loop-break.md --- .../bitlocker/bitlocker-recovery-loop-break.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 862c89585a..785916eded 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -19,9 +19,9 @@ ms.custom: bitlocker # Breaking out of a Bitlocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. +Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This scenario can be very frustrating. -If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. +If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to come out of the loop. > [!NOTE] > Try these steps only after you have restarted your device at least once. From 4d5074fb0acd5a80ae950d32cf875fb8e0d430bf Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 12:02:07 +0530 Subject: [PATCH 29/30] Update bitlocker-recovery-loop-break.md --- .../bitlocker/bitlocker-recovery-loop-break.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index e7d617e0c7..62f0ae35dc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -19,7 +19,7 @@ ms.custom: bitlocker # Breaking out of a Bitlocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This scenario can be very frustrating. +After a crash, you might be unable to successfully boot into your operating system when the recovery screen repeatedly prompts you to enter your recovery key. This scenario can be very frustrating. If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to come out of the loop. From c9599777d2e848423946e3fd1b4aa449a1f751e4 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 10 Jun 2022 17:08:58 +0530 Subject: [PATCH 30/30] fixed suggestion --- .../bitlocker/bitlocker-basic-deployment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index e76c7e5c7b..1e29149153 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -115,7 +115,6 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes |Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7| - |--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|