deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-smandalika-bl-ovw-req-4318240

Browse Source
This commit is contained in:
Daniel Simpson 2022-06-10 12:28:12 -07:00 committed by GitHub
commit 09d88c6e01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 69 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
View File

@ -21,18 +21,14 @@ Sometimes, following a crash, you might be unable to successfully boot into your
If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
> [!NOTE]
> Only try these steps after you have restarted your device at least once.
> Try these steps only after you have restarted your device at least once.
1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**.
1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**.
1. On the next screen, select **Troubleshoot**.
2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
1. On the Troubleshoot screen, select **Advanced options**.
3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
1. On the Advanced options screen, select **Command prompt**.
4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system
5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system.

4
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -28,7 +28,7 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
This topic describes how to use the BitLocker Recovery Password Viewer.
The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
@ -38,7 +38,7 @@ To complete the procedures in this scenario:
- You must have domain administrator credentials.
- Your test computers must be joined to the domain.
- On the test computers, BitLocker must have been turned on after joining the domain.
- On the domain-joined test computers, BitLocker must have been turned on.
The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.

31
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -18,14 +18,14 @@ ms.custom: bitlocker
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
@ -42,13 +42,12 @@ To resolve this issue, follow these steps:
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
1. Try again to start BitLocker Drive Encryption.
2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8
3. Retry starting BitLocker drive encryption.
## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
### Cause
@ -59,11 +58,11 @@ The TPM is locked out.
To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
1. Restart the device, and change the BIOS configuration to disable the TPM.
1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
2. Restart the device again, and return to the TPM management console. Following message is displayed:
> Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
1. Restart the device, and change the BIOS configuration to enable the TPM.
1. Restart the device, and return to the TPM management console.
3. Restart the device, and change the BIOS configuration to enable the TPM.
4. Restart the device, and return to the TPM management console.
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
@ -72,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
### Cause
The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
@ -84,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that
To verify that you have correctly identified this issue, use one of the following methods:
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
@ -95,13 +94,13 @@ To verify that you have correctly identified this issue, use one of the followin
In this command, *ComputerName* is the name of the affected computer.
1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
@ -109,7 +108,7 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati
### Cause
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution

10
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -18,13 +18,13 @@ ms.custom: bitlocker
# BitLocker configuration: known issues
This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
@ -41,7 +41,7 @@ After Windows 7 was released, several other areas of BitLocker were improved:
- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
- BitLocker Wizard
@ -90,12 +90,12 @@ This issue occurs regardless of any of the following variations in the environme
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the domain controller Application log, the VSS event source records event ID 8229:
In the domain controller application log, the VSS event source records event ID 8229:
> ID: 8229
> Level: Warning
> Source: VSS
> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.
>

55
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -39,7 +39,7 @@ If you do not have a clear trail of events or error messages to follow, other ar
- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review your BitLocker policy configuration](#policy)
For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
@ -49,7 +49,7 @@ Event ID 853 can carry different error messages, depending on the context. In th
### Cause
The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
### Resolution
@ -70,9 +70,9 @@ In this case, you see event ID 853, and the error message in the event indicates
### Cause
During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects removable bootable media.
To avoid this situation, the provisioning process stops if it detects a removable bootable media.
### Resolution
@ -90,7 +90,7 @@ The event information resembles the following:
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE is not available on the device, provisioning stops.
@ -104,7 +104,7 @@ The procedures described in this section depend on the default disk partitions t
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
```console
diskpart
@ -113,7 +113,7 @@ list volume
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager):
![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
@ -124,7 +124,6 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win
```console
reagentc /info
```
The output of this command resembles the following.
![Output of the reagentc /info command.](./images/4509193-en-1.png)
@ -137,13 +136,13 @@ reagentc /enable
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```console
bcdedit /enum all
```
The output of this command resembles the following.
The output of this command resembles the following:
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
@ -159,11 +158,11 @@ The event information resembles the following:
### Cause
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS.
### Resolution
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
To verify the BIOS mode, use the System Information application. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -174,7 +173,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device.
## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
@ -184,11 +183,11 @@ You receive an error message that resembles the following:
### Cause
A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
### Resolution
You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps:
#### Step 1: Verify the PCR validation profile of the TPM
@ -198,17 +197,17 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t
Manage-bde -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on.
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2. Verify the Secure Boot state
#### 2. Verify the secure boot state
To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
To verify the secure boot state, use the System Information application. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
@ -229,7 +228,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."
> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
@ -237,7 +236,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
> Event ID:846
>
@ -270,7 +269,7 @@ The issue affects Windows 11 and Windows 10 version 1809.
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## <a id="issue-5"></a>Error message: There are conflicting Group Policy settings for recovery options on operating system drives
## <a id="issue-5"></a>Error message: There are conflicting group policy settings for recovery options on operating system drives
You receive a message that resembles the following:
@ -278,13 +277,13 @@ You receive a message that resembles the following:
### Resolution
To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
## <a id="policy"></a>Review your BitLocker policy configuration
For information about how to use policy together with BitLocker and Intune, see the following resources:
For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
@ -302,7 +301,7 @@ Intune offers the following enforcement types for BitLocker:
If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following:
![Intune policy settings.](./images/4509186-en-1.png)
@ -320,7 +319,7 @@ The OMA-URI references for these settings are as follows:
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.
> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard.
If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.
@ -339,11 +338,11 @@ The OMA-URI references for these settings are as follows:
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)

28
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
@ -31,7 +31,7 @@ Windows prompts you for a BitLocker recovery password. However, you did not conf
### Resolution
The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
You have a tablet or slate device, and you try to test BitLocker recovery by running the following command:
```console
Manage-bde -forcerecovery
@ -73,7 +73,7 @@ However, after you enter the recovery password, the device cannot start.
> [!IMPORTANT]
> Tablet devices do not support the **manage-bde -forcerecovery** command.
This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
@ -103,7 +103,7 @@ To resolve the restart loop, follow these steps:
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
You experience one or more of the following symptoms on the Surface device:
@ -115,14 +115,14 @@ You experience one or more of the following symptoms on the Surface device:
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure Boot is turned off.
- PCR values have been explicitly defined, such as by Group Policy.
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
### Resolution
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
```console
manage-bde.exe -protectors -get <OSDriveLetter>:
@ -170,7 +170,7 @@ To do this, follow these steps:
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE]
> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
@ -193,9 +193,9 @@ To recover data from your Surface device if you cannot start Windows, follow ste
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
To enable secure boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
@ -212,6 +212,7 @@ To enable Secure Boot on a Surface device, follow these steps:
1. Open an elevated PowerShell window, and run the following cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
@ -252,7 +253,6 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates.
@ -263,7 +263,7 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
@ -341,5 +341,5 @@ For more information about this technology, see [Windows Defender System Guard:
To resolve this issue, do one of the following:
- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.