deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5755 from MicrosoftDocs/v-gmoor-fix-pr-5549

Browse Source 
Various fixes, primarily layout and presentation
This commit is contained in:
Gary Moore 2021-09-30 19:24:11 -07:00 committed by GitHub
commit 4b983a981b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 145 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f
Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. > [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
   
### Default BCD validation profile ### Default BCD validation profile
@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke
### Full list of friendly names for ignored BCD settings ### Full list of friendly names for ignored BCD settings
This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked. This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked.
> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
> [!NOTE]
> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
| Hex Value | Prefix | Friendly Name | | Hex Value | Prefix | Friendly Name |
| - | - | - | | - | - | - |

9
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
</colgroup> </colgroup>
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td align="left"><p><strong>Name</strong></p></td> <td align="left"><p>Name</p></td>
<td align="left"><p><strong>Parameters</strong></p></td> <td align="left"><p>Parameters</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td> <td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
> [!NOTE] > [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature. > Use of this command requires the RSAT-AD-PowerShell feature.
>
> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. > [!TIP]
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
> [!NOTE] > [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives: The hard disk must be partitioned with at least two drives:

34
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -64,7 +64,8 @@ manage-bde protectors -add C: -startupkey E:
manage-bde -on C: manage-bde -on C:
``` ```
>**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. > [!NOTE]
> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
>**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. > [!TIP]
> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d
- Windows does not start, or you cannot start the BitLocker recovery console. - Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive. - You do not have a copy of the data that is contained on the encrypted drive.
>**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. > [!NOTE]
> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde: The following limitations exist for Repair-bde:
@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</colgroup> </colgroup>
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td align="left"><p><b>Name</b></p></td> <td align="left"><p>Name</p></td>
<td align="left"><p><b>Parameters</b></p></td> <td align="left"><p>Parameters</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td> <td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</table> </table>
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet.
The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details. The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. > [!TIP]
> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl` `Get-BitLockerVolume C: | fl`
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}" Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
``` ```
>**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. > [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
### Using the BitLocker Windows PowerShell cmdlets with operating system volumes ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString
<user inputs password> <user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
``` ```
### Using an AD Account or Group protector in Windows PowerShell ### Using an AD Account or Group protector in Windows PowerShell
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
>**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes > [!WARNING]
> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
>**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. > [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
```powershell ```powershell
get-aduser -filter {samaccountname -eq "administrator"} get-aduser -filter {samaccountname -eq "administrator"}
``` ```
>**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. > [!TIP]
> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
``` ```
>**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. > [!NOTE]
> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
## More information ## More information

11
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects
To resolve this issue, follow these steps: To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey: 1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
1. Delete the following entries: 1. Delete the following entries:
@ -55,9 +56,13 @@ To resolve this issue, follow these steps:
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password. 1. Follow the instructions on the page to enter your password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied." 1. The **Starting encryption** page displays the message "Access is denied."
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps:
1. At the command prompt, enter the following command: 1. At the command prompt, enter the following command:
```cmd ```console
C:\>sc sdshow bdesvc C:\>sc sdshow bdesvc
``` ```
The output of this command resembles the following: The output of this command resembles the following:
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps:
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```ps ```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
``` ```

4
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
``` ```console
\# for hex 0xc0210000 / decimal -1071579136 \# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption. \# This volume is locked by BitLocker Drive Encryption.
@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur
The operation produces the following call stack: The operation produces the following call stack:
``` ```console
\# Child-SP RetAddr Call Site \# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]

18
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -56,6 +56,7 @@ To install the tool, follow these steps:
To use TBSLogGenerator, follow these steps: To use TBSLogGenerator, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: 1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
This folder contains the TBSLogGenerator.exe file. This folder contains the TBSLogGenerator.exe file.
@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps:
![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
1. Run the following command: 1. Run the following command:
```cmd
```console
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
``` ```
where the variables represent the following values: where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded - \<*LogFileName*> = the name of the file to be decoded
@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps:
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
```cmd ```console
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
``` ```
@ -84,11 +87,11 @@ To use TBSLogGenerator, follow these steps:
![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
The content of this text file resembles the following. The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file. To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command: To decode a log, run the following command:
```cmd
```console
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
``` ```
@ -114,4 +118,4 @@ where the variables represent the following values:
The content of the XML file resembles the following. The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) :::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

26
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) :::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
``` ```console
diskpart diskpart
list volume list volume
``` ```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd ```console
reagentc /info reagentc /info
``` ```
The output of this command resembles the following. The output of this command resembles the following.
![Output of the reagentc /info command.](./images/4509193-en-1.png) ![Output of the reagentc /info command.](./images/4509193-en-1.png)
If the **Windows RE status** is not **Enabled**, run the following command to enable it: If the **Windows RE status** is not **Enabled**, run the following command to enable it:
```cmd ```console
reagentc /enable reagentc /enable
``` ```
@ -135,13 +137,13 @@ reagentc /enable
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```cmd ```console
bcdedit /enum all bcdedit /enum all
``` ```
The output of this command resembles the following. The output of this command resembles the following.
![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B
To verify the BIOS mode, use the System Information app. To do this, follow these steps: To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE] > [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd ```console
Manage-bde -protectors -get %systemdrive% Manage-bde -protectors -get %systemdrive%
``` ```
@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc
To verify the Secure Boot state, use the System Information app. To do this, follow these steps: To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows: 1. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE] > [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
>
> ```ps > ```ps
> PS C:\> Confirm-SecureBootUEFI > PS C:\> Confirm-SecureBootUEFI
> ``` > ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
> >
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."

83
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd ```console
manage-bde -protectors -adbackup C: manage-bde -protectors -adbackup C:
``` ```
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
```cmd ```console
Manage-bde -forcerecovery Manage-bde -forcerecovery
``` ```
@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows.
To resolve the restart loop, follow these steps: To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**. 1. On the BitLocker Recovery screen, select **Skip this drive**.
1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
1. In the Command Prompt window, run the following commands :
```cmd 1. In the Command Prompt window, run the following commands:
```console
manage-bde unlock C: -rp <48-digit BitLocker recovery password> manage-bde unlock C: -rp <48-digit BitLocker recovery password>
manage-bde -protectors -disable C: manage-bde -protectors -disable C:
``` ```
1. Close the Command Prompt window. 1. Close the Command Prompt window.
1. Shut down the device. 1. Shut down the device.
1. Start the device. Windows should start as usual. 1. Start the device. Windows should start as usual.
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On,
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
```cmd ```console
manage-bde.exe -protectors -get <OSDriveLetter>: manage-bde.exe -protectors -get <OSDriveLetter>:
``` ```
@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if
To do this, follow these steps: To do this, follow these steps:
1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
1. Insert the USB Surface recovery image drive into the Surface device, and start the device. 1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
1. When you are prompted, select the following items: 1. When you are prompted, select the following items:
1. Your operating system language. 1. Your operating system language.
1. Your keyboard layout. 1. Your keyboard layout.
1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands: 1. In the Command Prompt window, run the following commands:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>: manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde -protectors -disable <DriveLetter>: manage-bde -protectors -disable <DriveLetter>:
``` ```
In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
> [!NOTE] > [!NOTE]
> For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
1. Restart the computer. 1. Restart the computer.
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE] > [!NOTE]
@ -155,11 +175,15 @@ To do this, follow these steps:
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command: 1. At the command prompt, run the following command:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>: manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
``` ```
In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.
> [!NOTE] > [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t
To enable Secure Boot on a Surface device, follow these steps: To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
In this command, <*DriveLetter*> is the letter that is assigned to your drive. In this command, <*DriveLetter*> is the letter that is assigned to your drive.
1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
1. Restart the device. 1. Restart the device.
1. Open an elevated PowerShell window, and run the following cmdlet: 1. Open an elevated PowerShell window, and run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
``` ```
To reset the PCR settings on the TPM, follow these steps: To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
where <*DriveLetter*> is the letter assigned to your drive. where <*DriveLetter*> is the letter assigned to your drive.
1. Run the following cmdlet: 1. Run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f
To suspend BitLocker while you install TPM or UEFI firmware updates: To suspend BitLocker while you install TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window, and run the following cmdlet: 1. Open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates. 1. Install the Surface device driver and firmware updates.
1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
``` ```
@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v
If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands: 1. In the Command Prompt window, run the following commands:
```cmd
```console
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group> Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group>
Manage-bde -protectors -disable c: Manage-bde -protectors -disable c:
exit exit
``` ```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE] > [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
1. Select **Continue**. Windows should start. 1. Select **Continue**. Windows should start.
1. After Windows has started, open an elevated Command Prompt window and run the following command: 1. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
```console
Manage-bde -protectors -enable c: Manage-bde -protectors -enable c:
``` ```
@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
```cmd ```console
Manage-bde -protectors -disable c: -rc 1 Manage-bde -protectors -disable c: -rc 1
``` ```