deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Edits

Browse Source
This commit is contained in:
Teresa-Motiv
2019-10-03 13:58:16 -07:00
parent eef4642c12
commit 4c1585b7ba
8 changed files with 45 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/information-protection/TOC.md
View File

@ -26,14 +26,14 @@
### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md) ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
### Troubleshoot BitLocker ### Troubleshoot BitLocker
#### [Troubleshoot BitLocker](bitlocker\troubleshoot-bitlocker.md) #### [Troubleshoot BitLocker](bitlocker\troubleshoot-bitlocker.md)
#### [BitLocker cannot encrypt a drive--known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md) #### [BitLocker cannot encrypt a drive: known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md)
#### [Enforcing BitLocker policies by using Intune--known issues](bitlocker\ts-bitlocker-intune-issues.md) #### [Enforcing BitLocker policies by using Intune: known issues](bitlocker\ts-bitlocker-intune-issues.md)
#### [BitLocker Network Unlock--known issues](bitlocker\ts-bitlocker-network-unlock-issues.md) #### [BitLocker Network Unlock: known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)
#### [BitLocker recovery--known issues](bitlocker\ts-bitlocker-recovery-issues.md) #### [BitLocker recovery: known issues](bitlocker\ts-bitlocker-recovery-issues.md)
#### [BitLocker configuration--known issues](bitlocker\ts-bitlocker-config-issues.md) #### [BitLocker configuration: known issues](bitlocker\ts-bitlocker-config-issues.md)
#### Troubleshoot BitLocker and TPM issues #### Troubleshoot BitLocker and TPM issues
##### [BitLocker cannot encrypt a drive--known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md) ##### [BitLocker cannot encrypt a drive: known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md)
##### [BitLocker and TPM--other known issues](bitlocker\ts-bitlocker-tpm-issues.md) ##### [BitLocker and TPM: other known issues](bitlocker\ts-bitlocker-tpm-issues.md)
##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md) ##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md)
## [Encrypted Hard Drive](encrypted-hard-drive.md) ## [Encrypted Hard Drive](encrypted-hard-drive.md)

19
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -11,22 +11,17 @@ manager: kaushika
audience: ITPro audience: ITPro
ms.collection: Windows Security Technologies\BitLocker ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 10/3/2019
--- ---
# BitLocker cannot encrypt a drive—known issues # BitLocker cannot encrypt a drive: known issues
The following list describes common issues that can occur that prevent BitLocker from encrypting a drive, linked to guidance for addressing the issues. This article describes common issues that can occur that prevent BitLocker from encrypting a drive, and provides guidance for addressing those issues.
> [!NOTE] > [!NOTE]
> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive--known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). > If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive--known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
<a id="list"></a> ## Error 0x80310059 when you turn on BitLocker encryption on Windows 10 Professional
- [Error 0x80310059 when you turn on BitLocker encryption on Windows 10 Professional](#scenario-1)
- ["Access is denied" message when you try to encrypt removable drives](#scenario-2)
## <a id="scenario-1"></a>Error 0x80310059 when you turn on BitLocker encryption on Windows 10 Professional
When you turn on BitLocker encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following: When you turn on BitLocker encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
@ -52,9 +47,7 @@ To resolve this issue, follow these steps:
1. Exit Registry Editor, and turn on BitLocker encryption again. 1. Exit Registry Editor, and turn on BitLocker encryption again.
[Back to list](#list) ## "Access is denied" message when you try to encrypt removable drives
## <a id="scenario-2"></a>"Access is denied" message when you try to encrypt removable drives
You have a computer that is running Windows 10, version 1607 or version 1709. You have a computer that is running Windows 10, version 1607 or version 1709.
@ -108,5 +101,3 @@ To verify that this issue has occurred, follow these steps:
1. Restart the computer. 1. Restart the computer.
The issue should now be resolved. The issue should now be resolved.
[Back to list](#list)

30
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -11,24 +11,17 @@ manager: kaushika
audience: ITPro audience: ITPro
ms.collection: Windows Security Technologies\BitLocker ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 10/3/2019
--- ---
# BitLocker cannot encrypt a drive&mdash;known TPM issues # BitLocker cannot encrypt a drive: known TPM issues
The following list describes common issues that can involve the Trusted Platform Module (TPM) that prevent BitLocker from encrypting a drive, linked to guidance for addressing the issues. This article describes common issues that can involve the Trusted Platform Module (TPM) that prevent BitLocker from encrypting a drive, and provides guidance for addressing those issues.
> [!NOTE] > [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive--known issues](ts-bitlocker-cannot-encrypt-issues.md). > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
<a id="list"></a> ## TPM is locked, message "The TPM is defending against dictionary attacks and is in a time-out period"
- [TPM is locked, message "The TPM is defending against dictionary attacks and is in a time-out period"](#scenario-1)
- [Cannot prepare the TPM, message "The TPM is defending against dictionary attacks and is in a time-out period"](#scenario-2)
- [Cannot prepare the TPM, error 0x80070005 "Insufficient Rights"](#scenario-3)
- [Cannot prepare the TPM, error 0x80072030 "There is no such object on the server"](#scenario-4)
## <a id="scenario-1"></a>TPM is locked, message "The TPM is defending against dictionary attacks and is in a time-out period"
Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." Unable to enable BitLocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period."
@ -40,7 +33,7 @@ TPM Lockout
open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure BitLocker (we use some scripts, but the GUI is also ok J) open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure BitLocker (we use some scripts, but the GUI is also ok J)
## <a id="scenario-2"></a>Cannot prepare the TPM, getting message "The TPM is defending against dictionary attacks and is in a time-out period" ## Cannot prepare the TPM, getting message "The TPM is defending against dictionary attacks and is in a time-out period"
[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/help/4327939) [PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/help/4327939)
@ -53,9 +46,7 @@ Classification Path: Routing Surface Pro\Software Issues (Windows 8.1)\BitLocker
When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we received the error "The TPM is defending against dictionary attacks and is in a time-out period." We rebooted into BIOS, disabled TPM and when we booted into OS, the tpm.msc showed “Compatible Trusted Platform Module (TPM) cannot be found on this computer. verify that this computer has 1.2 TPM and its is turned on in the BIOS “ We then booted into BIOS, enabled the TPM and then we found that it required us to clear the existing TPM keys and rebooted. Now, we were able to successfully prepare the TPM and the TPM state was “ready for use”. Now, we started the encryption on OS drive with TPM protector and the encryption was successful. When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we received the error "The TPM is defending against dictionary attacks and is in a time-out period." We rebooted into BIOS, disabled TPM and when we booted into OS, the tpm.msc showed “Compatible Trusted Platform Module (TPM) cannot be found on this computer. verify that this computer has 1.2 TPM and its is turned on in the BIOS “ We then booted into BIOS, enabled the TPM and then we found that it required us to clear the existing TPM keys and rebooted. Now, we were able to successfully prepare the TPM and the TPM state was “ready for use”. Now, we started the encryption on OS drive with TPM protector and the encryption was successful.
[Back to list](#list) ## Cannot prepare the TPM, error 0x80070005 "Insufficient Rights"
## <a id="scenario-3"></a>Cannot prepare the TPM, error 0x80070005 "Insufficient Rights"
Unable to backup TPM Information to ADDS. Unable to backup TPM Information to ADDS.
@ -77,9 +68,7 @@ Get-ADComputer -Filter {Name -like "TPMTest"} -Property 1. | Format-Table name,m
Reference: [https://internal.support.services.microsoft.com/help/4337282](https://internal.support.services.microsoft.com/help/4337282) Reference: [https://internal.support.services.microsoft.com/help/4337282](https://internal.support.services.microsoft.com/help/4337282)
[Back to list](#list) ## Cannot prepare the TPM, Error 0x80072030 "There is no such object on the server"
## <a id="scenario-4"></a>Cannot prepare the TPM, Error 0x80072030 "There is no such object on the server"
Reference: [https://internal.support.services.microsoft.com/help/4319021](https://internal.support.services.microsoft.com/help/4319021) Reference: [https://internal.support.services.microsoft.com/help/4319021](https://internal.support.services.microsoft.com/help/4319021)
@ -105,6 +94,3 @@ We noticed that he had not added the self-write permissions for the computer obj
- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds) - [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies) - [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)
[Back to list](#list)

22
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -14,17 +14,11 @@ ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 9/27/2019
--- ---
# BitLocker configuration&mdash;known issues # BitLocker configuration: known issues
The following list describes common issues that involve your BitLocker configuration and BitLocker's general functionality, linked to guidance for addressing the issues. This article describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
<a id="list"></a> ## In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
- [In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7](#scenario-1)
- [Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption](#scenario-2)
- [Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks](#scenario-3)
## <a id="scenario-1"></a>In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. this behavior reduces the chance of BitLocker affecting the computer's performance. In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. this behavior reduces the chance of BitLocker affecting the computer's performance.
@ -65,9 +59,7 @@ After Windows 7 was released, several other areas of BitLocker were improved:
- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology. - **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
[Back to list](#list) ## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
## <a id="scenario-2"></a>Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
1. You turn on BitLocker on a generation-2 virtual machine that runs on Hyper-V. 1. You turn on BitLocker on a generation-2 virtual machine that runs on Hyper-V.
1. You add data to the data disk as it encrypts. 1. You add data to the data disk as it encrypts.
@ -86,9 +78,7 @@ To resolve this issue, remove the third-party software.
{Note to reviewers: the original text says "We uninstalled the 3rd party Storage craft software and could fix the issue." This section needs to include *how* to fix the issue. Does the VM recognize the drive as soon as the 3rd-party app is gone? Do you have to restore the drive from a backup, then re-encrypt it?} {Note to reviewers: the original text says "We uninstalled the 3rd party Storage craft software and could fix the issue." This section needs to include *how* to fix the issue. Does the VM recognize the drive as soon as the 3rd-party app is gone? Do you have to restore the drive from a backup, then re-encrypt it?}
[Back to list](#list) ## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
## <a id="scenario-3"></a>Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting virtual machines (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup. You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting virtual machines (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
@ -188,5 +178,3 @@ The operation produces the following callstack:
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\] 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\] 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
``` ```
[Back to list](#list)

6
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -14,7 +14,7 @@ ms.topic: troubleshooting
ms.date: 10/2/2019 ms.date: 10/2/2019
--- ---
# Enforcing BitLocker policies by using Intune&mdash;known issues # Enforcing BitLocker policies by using Intune: known issues
This article provides assistance for issues you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates if BitLocker has failed to encrypt on or more managed devices. This article provides assistance for issues you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates if BitLocker has failed to encrypt on or more managed devices.
@ -22,8 +22,6 @@ This article provides assistance for issues you may see if you use Microsoft Int
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about resolving the following events and error messages: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about resolving the following events and error messages:
<a id="list"></a>
- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1) - [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1)
- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2) - [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2)
- [Event ID 854: WinRE not configured](#issue-3) - [Event ID 854: WinRE not configured](#issue-3)
@ -307,5 +305,3 @@ Registry path to verify the BitLocker policy as delivered to the device: **HKEY\
![](./images/4509206_en_1.png) ![](./images/4509206_en_1.png)
The registry path **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** will contain all the policy as received/enforced by the MDM The registry path **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** will contain all the policy as received/enforced by the MDM
[Back to list](#list)

24
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -13,26 +13,20 @@ ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 9/27/2019
--- ---
# BitLocker Network Unlock--known issues # BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN for each computer when it starts up. Your environment must have the following configuration: By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN for each computer when it starts up. Your environment must have the following configuration:
- The computers must belong to a domain - The computers must belong to a domain
- The computers must have a wired connection to the corporate network - The computers must have a wired connection to the corporate network
- The corporate network must use DHCP to manage IP addresses - The corporate network must use DHCP to manage IP addresses
- Each computer must have a DHCP drive rimplemented in its UEFI firmware - Each computer must have a DHCP driver implemented in its UEFI firmware
For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock) For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
This article describes several known issues that you may encounter while using Network Unlock: This article describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
<a id="list"></a> ## Surface: BitLocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack
- [Surface: BitLocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack](#scenario-1)
- [Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer](#scenario-2)
- [Unable to use BitLocker Network Unlock feature on Windows client computer](#scenario-4)
## <a id="scenario-1"></a>Surface: BitLocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack
BitLocker Network unlock was configured as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). BitLocker Network unlock was configured as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock).
@ -50,9 +44,7 @@ SEMM is required to enable the network stack, it is not visible in the UI. Other
For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm) For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm)
[Back to list](#list) ## Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer
## <a id="scenario-2"></a>Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer
Applies for both x64 and x32 UEFI systems. Applies for both x64 and x32 UEFI systems.
@ -62,9 +54,7 @@ Detect the following values:
- A Network Unlock protector (key protector of type **TpmCertificate (9)**) exists on the boot volume - A Network Unlock protector (key protector of type **TpmCertificate (9)**) exists on the boot volume
- A registry entry exists in the **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** subkey that matches the name of the certificate thumbprint of the Network Unlock protector - A registry entry exists in the **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** subkey that matches the name of the certificate thumbprint of the Network Unlock protector
[Back to list](#list) ## Unable to use BitLocker Network Unlock feature on Windows client computer
## <a id="scenario-4"></a>Unable to use BitLocker Network Unlock feature on Windows client computer
From [A Windows 8-based client computer does not use the BitLocker Network Unlock feature](https://internal.support.services.microsoft.com/help/2891694/a-windows-8-based-client-computer-does-not-use-the-bitlocker-network-u) From [A Windows 8-based client computer does not use the BitLocker Network Unlock feature](https://internal.support.services.microsoft.com/help/2891694/a-windows-8-based-client-computer-does-not-use-the-bitlocker-network-u)
@ -92,5 +82,3 @@ If a DHCP server that is not configured to support BOOTP clients receives a BOOT
### Resolution ### Resolution
To resolve this issue, turn off the BOOTP option on the DHCP server, log on to the DHCP server, and then change the DHCP option from DHCP and BOOTP to DHCP To resolve this issue, turn off the BOOTP option on the DHCP server, log on to the DHCP server, and then change the DHCP option from DHCP and BOOTP to DHCP
[Back to list](#list)

39
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -11,23 +11,14 @@ manager: kaushika
audience: ITPro audience: ITPro
ms.collection: Windows Security Technologies\BitLocker ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 10/3/2019
--- ---
# BitLocker recovery&mdash;known issues # BitLocker recovery: known issues
The following list describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The list provides links to guidance for addressing the issues. This article describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
<a id="list"></a> ## Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key
- [Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key](#scenario-1)
- [The recovery key for a laptop was not backed up, and the laptop is locked](#scenario-2)
- [Tablet devices do not support **Manage-bde -forcerecovery** to test recovery mode](#scenario-3)
- [Surface: After you install updates to Surface UEFI or TPM firmware, BitLocker prompts for the recovery key](#scenario-4)
- [Hyper-V: After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery key and gives error 0xC0210000](#scenario-5)
- [Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000](#scenario-6)
## <a id="scenario-1"></a>Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key
Windows 10 prompts you for a BitLocker recovery key. However, you have not configured a BitLocker recovery key. Windows 10 prompts you for a BitLocker recovery key. However, you have not configured a BitLocker recovery key.
@ -38,17 +29,13 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses two sit
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) - [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup) - [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
[Back to list](#list) ## The recovery key for a laptop was not backed up, and the laptop is locked
## <a id="scenario-2"></a>The recovery key for a laptop was not backed up, and the laptop is locked
We have a Windows 10 Home laptop which is being used by one onsite engineers. He is in California and spilled Coffee in his laptop on Wednesday. The laptop will not work but the hard drive is good. When we hook it up to a docking station, it asks us for a bit locker encryption key to access the drive. Whomever used the laptop before must have turned on bit locker. We have no way of knowing the bit locker password. We need the data in My Documents. It is a SSD drive and is in good condition. We have a Windows 10 Home laptop which is being used by one onsite engineers. He is in California and spilled Coffee in his laptop on Wednesday. The laptop will not work but the hard drive is good. When we hook it up to a docking station, it asks us for a bit locker encryption key to access the drive. Whomever used the laptop before must have turned on bit locker. We have no way of knowing the bit locker password. We need the data in My Documents. It is a SSD drive and is in good condition.
The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
[Back to list](#list) ## Tablet devices do not support Manage-bde -forcerecovery to test recovery mode
## <a id="scenario-3"></a>Tablet devices do not support Manage-bde -forcerecovery to test recovery mode
Reference: <https://internal.support.services.microsoft.com/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m> Reference: <https://internal.support.services.microsoft.com/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m>
@ -87,9 +74,7 @@ To resolve this issue, follow these steps:
1. Shut down the device. 1. Shut down the device.
When you restart the device, Windows should start. When you restart the device, Windows should start.
[Back to list](#list) ## Surface: After you install updates to Surface UEFI or TPM firmware, BitLocker prompts for the recovery key
## <a id="scenario-4"></a>Surface: After you install updates to Surface UEFI or TPM firmware, BitLocker prompts for the recovery key
Reference: <https://internal.support.services.microsoft.com/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update> Reference: <https://internal.support.services.microsoft.com/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update>
@ -213,9 +198,7 @@ To recover data from your Surface device if you are unable to boot into Windows:
To reset your device by using a Surface recovery image: Follow the instructions in  "How to reset your Surface using your USB recovery drive" at [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512). To reset your device by using a Surface recovery image: Follow the instructions in  "How to reset your Surface using your USB recovery drive" at [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).
[Back to list](#list) ## Hyper-V: After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery key and gives error 0xC0210000
## <a id="scenario-5"></a>Hyper-V: After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery key and gives error 0xC0210000
Reference: <https://internal.support.services.microsoft.com/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi> Reference: <https://internal.support.services.microsoft.com/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi>
@ -259,9 +242,7 @@ This issue is now resolved for all platforms in the following updates:
- [KB4507450](https://internal.support.services.microsoft.com/help/4507450) LCU for Windows 10, version 1703. - [KB4507450](https://internal.support.services.microsoft.com/help/4507450) LCU for Windows 10, version 1703.
- [KB4507460](https://internal.support.services.microsoft.com/help/4507460) LCU for Windows 10, version 1607 and Windows Server 2016. - [KB4507460](https://internal.support.services.microsoft.com/help/4507460) LCU for Windows 10, version 1607 and Windows Server 2016.
[Back to list](#list) ## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000
## <a id="scenario-6"></a> Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000
Windows 10 1809 with Virtualization Based Security enabled (Credential Guard/Device Guard) on TPM 1.2 causing bitlocker recovery on every reboot with : "error code 0xc0210000" Windows 10 1809 with Virtualization Based Security enabled (Credential Guard/Device Guard) on TPM 1.2 causing bitlocker recovery on every reboot with : "error code 0xc0210000"
@ -278,5 +259,3 @@ TPM 1.2 is not supported for use with “SecureLaunch” and this is well docume
Once you will disable the secure Launch in policy on devices with TPM 1.2, it will fix the issue. Once you will disable the secure Launch in policy on devices with TPM 1.2, it will fix the issue.
![](./images/4496674_en_1.png) ![](./images/4496674_en_1.png)
[Back to list](#list)

16
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -11,20 +11,14 @@ manager: kaushika
audience: ITPro audience: ITPro
ms.collection: Windows Security Technologies\BitLocker ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 9/27/2019 ms.date: 10/3/2019
--- ---
# BitLocker and TPM&mdash;other known issues # BitLocker and TPM: other known issues
[Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm) [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)
<a id="list"></a> ## Azure AD: Windows Hello for Business and single sign-on do not work
- [Azure AD: Windows Hello for Business and single sign-on do not work](#scenario-1)
- [Loading the management console failed. The device that is required by the cryptographic provider is not ready for use](#scenario-2)
- [Azure AD-joined devices fail because of a TPM issue](#scenario-3)
## <a id="scenario-1"></a>Azure AD: Windows Hello for Business and single sign-on do not work
Not able to acquire a PRT can lead to various issues Not able to acquire a PRT can lead to various issues
@ -93,7 +87,7 @@ Hardware/firmware issues within TPM.
Recommended action plan: After consulting with the TPM feature team, We advised you to test this out on a different device of the same model. Apart from that we also suggested you to switch the TPM operation mode to Spec v1.2 to v2.0 and check if the issue continues to occur.Current status: As of now, you have reached out to {Namepii} to get the mainboard on the device replaced by 18th August. Post that you will be changing the operation mode of TPM to 2.0 to see if that resolves the problem. Since we dont have any active troubleshooting plan we are closing this case temporarily for now and we will re-engage on 10 AM EST 26th Sept. to discuss this issue further. I will be sending you a meeting invite for the same. Recommended action plan: After consulting with the TPM feature team, We advised you to test this out on a different device of the same model. Apart from that we also suggested you to switch the TPM operation mode to Spec v1.2 to v2.0 and check if the issue continues to occur.Current status: As of now, you have reached out to {Namepii} to get the mainboard on the device replaced by 18th August. Post that you will be changing the operation mode of TPM to 2.0 to see if that resolves the problem. Since we dont have any active troubleshooting plan we are closing this case temporarily for now and we will re-engage on 10 AM EST 26th Sept. to discuss this issue further. I will be sending you a meeting invite for the same.
## <a id="scenario-3"></a>Azure AD-joined devices fail because of a TPM issue ## Azure AD-joined devices fail because of a TPM issue
Reference: [https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) Reference: [https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
@ -137,5 +131,3 @@ Reference: [https://internal.support.services.microsoft.com/help/4467030](https:
- **Reason:** TPM locked out. - **Reason:** TPM locked out.
- **Resolution:** Transient error. Wait for the cooldown period. Join attempt after some time should succeed. More Information can be found in the article [TPM fundamentals](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering) - **Resolution:** Transient error. Wait for the cooldown period. Join attempt after some time should succeed. More Information can be found in the article [TPM fundamentals](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
[Back to list](#list)