deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Remove troubleshooting articles from USMT and BitLocker 4

Browse Source
This commit is contained in:
Frank Rojas
2022-11-29 09:14:47 -05:00
parent 6c96649511
commit 4f27ef00a5
11 changed files with 58 additions and 1713 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/TOC.yml
View File

@ -136,25 +136,25 @@
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker
href: information-protection/bitlocker/troubleshoot-bitlocker.md
href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues"
href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues"
href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues"
href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues"
href: information-protection/bitlocker/ts-bitlocker-config-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues"
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview

152
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -1,152 +0,0 @@
---
title: Guidelines for troubleshooting BitLocker
description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Guidelines for troubleshooting BitLocker
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier.
## Review the event logs
Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**:
- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-API/Management**
- **Microsoft-Windows-BitLocker-API/Operational**
- **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled
- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin**
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational**
Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used.
For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
```cmd
wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
```
To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command:
```powershell
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
```
The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
- To display BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
- To export BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
```
- To display TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
```
- To export TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
> [!NOTE]
> When contacting Microsoft Support, it is recommended to export the logs listed in this section.
## Gather status information from the BitLocker technologies
Open an elevated Windows PowerShell window, and run each of the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`Get-Tpm > C:\TPM.txt`** |PowerShell cmdlet that exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet isn't supported in Windows 7. | [Get-Tpm](/powershell/module/trustedplatformmodule/get-tpm)|
|**`manage-bde.exe -status > C:\BDEStatus.txt`** |Exports information about the general encryption status of all drives on the computer. | [manage-bde.exe status](/windows-server/administration/windows-commands/manage-bde-status) |
|**`manage-bde.exe c: -protectors -get > C:\Protectors`** |Exports information about the protection methods that are used for the BitLocker encryption key. | [manage-bde.exe protectors](/windows-server/administration/windows-commands/manage-bde-protectors)|
|**`reagentc.exe /info > C:\reagent.txt`** |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | [reagentc.exe](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |
|**`Get-BitLockerVolume \| fl`** |PowerShell cmdlet that gets information about volumes that BitLocker Drive Encryption can protect. | [Get-BitLockerVolume](/powershell/module/bitlocker/get-bitlockervolume) |
## Review the configuration information
1. Open an elevated Command Prompt window, and run the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`gpresult.exe /h <Filename>`** |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | [gpresult.exe](/windows-server/administration/windows-commands/gpresult) |
|**`msinfo.exe /report <Path> /computer <ComputerName>`** |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |[msinfo.exe](/windows-server/administration/windows-commands/msinfo32) |
2. Open Registry Editor, and export the entries in the following subkeys:
- **`HKLM\SOFTWARE\Policies\Microsoft\FVE`**
- **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`**
## Check the BitLocker prerequisites
Common settings that can cause issues for BitLocker include the following scenarios:
- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM.
- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE.
- The system-reserved partition must use the correct format.
- On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
- On legacy computers, the system-reserved partition must be formatted as NTFS.
- If the device being troubleshot is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
## Next steps
If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate.
- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
It's recommended to keep the gathered information handy in case Microsoft Support is contacted for help with resolving the issue.

114
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,114 +0,0 @@
---
title: BitLocker cannot encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
### Cause of **Error 0x80310059**
This issue may be caused by settings that are controlled by group policy objects (GPOs).
### Resolution for **Error 0x80310059**
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
2. Delete the following entries:
- **`OSPlatformValidation_BIOS`**
- **`OSPlatformValidation_UEFI`**
- **`PlatformValidation`**
3. Exit registry editor, and turn on BitLocker drive encryption again.
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO WINDOWS 10 VERSIONS THAT BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## **Access is denied** message when attempting to encrypt removable drives
A computer is running Windows 10, version 1709 or version 1607. Encryption is attempted on a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
2. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
3. Follow the instructions on the page to enter a password.
4. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
5. The **Starting encryption** page displays the message **Access is denied.**
The message is received on any computer that runs Windows 10 version 1709 or version 1607, when any USB drive is used.
### Cause of **Access is denied** message
The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
2. At the command prompt, enter the following command:
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following output:
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
3. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If `NT AUTHORITY\INTERACTIVE` is seen as highlighted in the output of this command, this line is the cause of the issue. Under typical conditions, the output should resemble the following output instead:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution for **Access is denied** message
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
2. Restart the computer.
The issue should now be resolved.
-->

157
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,157 +0,0 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed
It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of the TPM being locked
The TPM is locked out.
### Resolution for the TPM being locked
To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps:
1. Open an elevated PowerShell window and run the following script:
```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM.
3. Sign on to Windows and retry starting BitLocker drive encryption.
> [!WARNING]
> Resetting and clearing the TPM can cause data loss.
## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`**
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of TPM failing to prepare
The TPM is locked out.
### Resolution for TPM failing to prepare
To resolve this issue, disable and re-enable the TPM with the following steps:
1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens.
2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens.
3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows.
4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed:
> **Compatible TPM cannot be found**
>
> **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.**
This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device.
5. Restart the device and enter the UEFI/BIOS configuration screens again.
6. Reenable the TPM in the UEFI/BIOS configuration screens.
7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows.
8. Once signed into Windows, return to the TPM management console.
If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**
The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**.
### Cause of **`Access Denied`** or **`Insufficient Rights`**
The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution for **`Access Denied`** or **`Insufficient Rights`**
To verify this issue is occurring, use one of the following two methods:
- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=<domain>,DC=com`** container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
In this command, *ComputerName* is the name of the affected computer.
2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**.
## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`**
Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled**
It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
### Cause of **0x80072030: There is no such object on the server**
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution for **0x80072030: There is no such object on the server**
The issue can be resolved with the following steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
3. In the script, modify the value of **strPathToDomain** to the organization's domain name.
4. Open an elevated PowerShell window, and run the following command:
```cmd
cscript.exe <Path>\Add-TPMSelfWriteACE.vbs
```
In this command, \<*Path*> is the path to the script file.
For more information, see the following articles:
- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)

191
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -1,191 +0,0 @@
---
title: BitLocker configuration known issues
description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker configuration: known issues
This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
### Benefits of using the new conversion model
By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial.
By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
### Other BitLocker enhancements
Several other areas of BitLocker were improved in versions of Windows released after Windows 7:
- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces:
- BitLocker Wizard
- manage-bde.exe
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup.
- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart.
- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption
Consider the following scenario:
1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V.
2. Data is added to the data disk as it encrypts.
3. The VM is restarted and the following behavior is observed:
- The system volume isn't encrypted.
- The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**.
- A message similar to the following message is displayed:
> **You need to format the disk in \<*drive_letter:*> drive before you can use it**
### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM.
### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
To resolve this issue, remove the third-party software.
## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
Consider the following scenario:
A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup.
This issue occurs regardless of any of the following variations in the environment:
- How the domain controller volumes are unlocked.
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**:
> ID: 8229<br>
> Level: Warning<br>
> Source: VSS<br>
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.<br>
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.<br>
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:<br>
> PostSnapshot Event
>
> Context:<br>
> Execution Context: Writer<br>
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}<br>
> Writer Name: NTDS<br>
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}<br>
> Command Line: C:\\Windows\\system32\\lsass.exe<br>
>
> Process ID: 680
In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event:
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168<br>
> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
>
> Additional Data<br>
> Error value (decimal): -1022<br>
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
> [!NOTE]
> The internal ID of this event may differ based on the operating system release version and patch level.
When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
```Error
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
State: [11] Failed
Last error: Non-retryable error
```
Additionally, the VMs can't be backed up until they're restarted.
### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system.
If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended.
For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
### More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
```
The operation produces the following call stack:
```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```

120
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -1,120 +0,0 @@
---
title: Decode Measured Boot logs to track PCR changes
description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Decode Measured Boot logs to track PCR changes
Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
By tracking changes in the PCRs, and identifying when they changed, insight can be gained into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the `C:\Windows\Logs\MeasuredBoot\` folder.
This article describes tools that can be used to decode these logs: `TBSLogGenerator.exe` and `PCPTool.exe`.
For more information about Measured Boot and PCRs, see the following articles:
- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation)
- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
## Use `TBSLogGenerator.exe` to decode Measured Boot logs
Use `TBSLogGenerator.exe` to decode Measured Boot logs that were collected from Windows. `TBSLogGenerator.exe` can be installed on the following systems:
- A computer that is running Windows Server 2016 or newer and that has a TPM enabled
- A Gen 2 virtual machine running on Hyper-V that is running Windows Server 2016 or newer and is using a virtual TPM.
To install the tool, follow these steps:
1. Download the Windows Hardware Lab Kit from [Windows Hardware Lab Kit](/windows-hardware/test/hlk/).
2. After downloading, run the installation file from the path where the install was downloaded to.
3. Accept the default installation path.
![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
4. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
5. Finish the installation.
To use `TBSLogGenerator.exe`, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**`C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb`**
This folder contains the `TBSLogGenerator.exe` file.
![Properties and location of the `TBSLogGenerator.exe` file.](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file:
```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
![Command Prompt window that shows an example of how to use `TBSLogGenerator.exe`.](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In this example, the file is **`0000000005-0000000000.txt`**. The file is located in the same folder as the original `.log` file.
![Windows Explorer window that shows the text file that `TBSLogGenerator.exe`produces.](./images/ts-tpm-5.png)
The content of this text file is similar to the following text:
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use `PCPTool.exe` to decode Measured Boot logs
> [!NOTE]
> `PCPTool.exe` is a Visual Studio solution, but executable needs to be built before tool can be used.
`PCPTool.exe` is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install `PCPTool.exe`, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
```cmd
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```
where the variables represent the following values:
- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
The content of the XML file will be similar to the following XML:
:::image type="content" alt-text="Command Prompt window that shows an example of how to use `PCPTool.exe`." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

366
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -1,366 +0,0 @@
---
title: Enforcing BitLocker policies by using Intune known issues
description: Provides assistance for issues that may be seen if Microsoft Intune policy is being used to manage silent BitLocker encryption on devices.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Enforcing BitLocker policies by using Intune: known issues
This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the **Management** and **Operations** logs in the **Applications and Services logs** > **Microsoft** > **Windows** > **BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#event-id-853-error-a-compatible-trusted-platform-module-tpm-security-device-cannot-be-found-on-this-computer)
- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#event-id-853-error-bitlocker-drive-encryption-detected-bootable-media-cd-or-dvd-in-the-computer)
- [Event ID 854: WinRE is not configured](#event-id-854-winre-is-not-configured)
- [Event ID 851: Contact manufacturer for BIOS upgrade](#event-id-851-contact-the-manufacturer-for-bios-upgrade-instructions)
- [Error message: The UEFI variable 'SecureBoot' could not be read](#error-message-the-uefi-variable-secureboot-could-not-be-read)
- [Event ID 846, 778, and 851: Error 0x80072f9a](#event-id-846-778-and-851-error-0x80072f9a)
- [Error message: There are conflicting group policy settings for recovery options on operating system drives](#error-message-there-are-conflicting-group-policy-settings-for-recovery-options-on-operating-system-drives)
If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas:
- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review BitLocker policy configuration](#review-bitlocker-policy-configuration)
For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event:
![Details of event ID 853 (A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer).](./images/4509190-en-1.png)
### Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
### Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
To resolve this issue, verify the following configurations:
- The TPM is enabled in the device BIOS.
- The TPM status in the TPM management console is similar to the following statuses:
- Ready (TPM 2.0)
- Initialized (TPM 1.2)
For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md).
## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
### Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects a removable bootable media.
### Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
## Event ID 854: WinRE is not configured
The event information resembles the following error message:
> Failed to enable Silent Encryption. WinRe is not configured.
>
> Error: This PC cannot support device encryption because WinRE is not properly configured.
### Cause of Event ID 854: WinRE is not configured
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE isn't available on the device, provisioning stops.
### Resolution for Event ID 854: WinRE is not configured
This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps:
#### Step 1: Verify the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the **`Winre.wim`** file. The partition configuration resembles the following.
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
```cmd
diskpart.exe
list volume
```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager):
![Windows image configuration in Microsoft Configuration Manager.](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd
reagentc.exe /info
```
The output of this command resembles the following.
![Output of the reagentc.exe /info command.](./images/4509193-en-1.png)
If the **Windows RE status** isn't **Enabled**, run the following command to enable it:
```cmd
reagentc.exe /enable
```
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:
```cmd
bcdedit.exe /enum all
```
The output of this command will be similar to the following output:
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
## Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The event information will be similar to the following error message:
> Failed to enable Silent Encryption.
>
> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
### Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.
### Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions
To verify the BIOS mode, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
3. If the **BIOS Mode** setting is **Legacy**, the UEFI firmware needs to be switched to **UEFI** or **EFI** mode. The steps for switching to **UEFI** or **EFI** mode are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
## Error message: The UEFI variable 'SecureBoot' could not be read
An error message similar to the following error message is displayed:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause of Error message: The UEFI variable 'SecureBoot' could not be read
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
### Resolution for Error message: The UEFI variable 'SecureBoot' could not be read
This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:
#### Step 1: Verify the PCR validation profile of the TPM
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde.exe -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot isn't turned on.
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2: Verify the secure boot state
To verify the secure boot state, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
3. If the **Secure Boot State** setting is **Unsupported**, Silent BitLocker Encryption can't be used on the device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE]
> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
>
> ```powershell
> Confirm-SecureBootUEFI
> ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
## Event ID 846, 778, and 851: Error 0x80072f9a
Consider the following scenario:
Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Azure Active Directory (Azure AD). As part of the policy configuration, the **Allow standard users to enable encryption during Azure AD Join** option has been selected.
The policy deployment fails and the failure generates the following events in Event Viewer in the **Applications and Services Logs** > **Microsoft** > **Windows** > **BitLocker API** folder:
> Event ID:846
>
> Event:
> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
>
> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
> Error: Unknown HResult Error code: 0x80072f9a
> Event ID:778
>
> Event: The BitLocker volume C: was reverted to an unprotected state.
> Event ID: 851
>
> Event:
> Failed to enable Silent Encryption.
>
> Error: Unknown HResult Error code: 0x80072f9a.
These events refer to Error code 0x80072f9a.
### Cause of Event ID 846, 778, and 851: Error 0x80072f9a
These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
The issue affects Windows 10 version 1809.
### Resolution for Event ID 846, 778, and 851: Error 0x80072f9a
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## Error message: There are conflicting group policy settings for recovery options on operating system drives
An error message similar to the following error message is displayed:
> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
### Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives
To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, [Review BitLocker policy configuration](#review-bitlocker-policy-configuration).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
## Review BitLocker policy configuration
For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
- [Policy CSP &ndash; BitLocker](/windows/client-management/mdm/policy-csp-bitlocker)
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
- [gpresult](/windows-server/administration/windows-commands/gpresult)
Intune offers the following enforcement types for BitLocker:
- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption.
If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings:
![Intune policy settings.](./images/4509186-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**
Value Type: **Integer**
Value: **1** (1 = Require, 0 = Not Configured)
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**
Value Type: **Integer**
Value: **0** (0 = Blocked, 1 = Allowed)
> [!NOTE]
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Warning for other disk encryption** setting is set to **Not configured**, the BitLocker drive encryption wizard has to be manually started.
If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard.
Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
- Be HSTI-compliant
- Support Modern Standby
- Use Windows 10 version 1803 or later
![Intune policy setting.](./images/4509188-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**
Value Type: **Integer**
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when the following settings are set:
>
> - **RequireDeviceEncryption** to **1**
> - **AllowStandardUserEncryption** to **1**
> - **AllowWarningForOtherDiskEncryption** to **0**
>
> Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
It can also be determined whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker`**
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device`**
![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)

105
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -1,105 +0,0 @@
---
title: BitLocker Network Unlock known issues
description: Describes several known issues that may be encountered while using Network Unlock, and provided guidance for addressing those issues.
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.reviewer: kaushika
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.custom: bitlocker
ms.date: 11/08/2022
---
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, computers can be managed remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, the environment needs to meet the following requirements:
- Each computer belongs to a domain.
- Each computer has a wired connection to the internal network.
- The internal network uses DHCP to manage IP addresses.
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
For general guidelines about how to troubleshoot BitLocker Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
This article describes several known issues that may be encountered when BitLocker Network Unlock is used and provides guidance to address these issues.
> [!TIP]
> BitLocker Network Unlock can be detected if it is enabled on a specific computer use the following steps on UEFI computers:
>
> 1. Open an elevated command prompt window and run the following command:
>
> ```cmd
> manage-bde.exe -protectors -get <Drive>
> ```
>
> For example:
>
> ```cmd
> manage-bde.exe -protectors -get C:
> ```
>
> If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
>
> 2. Start Registry Editor, and verify the following settings:
>
> 1. The following registry key exists and has the following value:
>
> - **Subkey**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`
> - **Type**: `REG_DWORD`
> - **Value**: `OSManageNKP` equal to `1` (True)
>
> 2. The registry key:
>
> `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates`
>
> has an entry whose name matches the name of the certificate thumbprint of the BitLocker Network Unlock key protector that was found in step 1.
## On a Surface Pro 4 device, BitLocker Network Unlock doesn't work because the UEFI network stack is incorrectly configured
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). UEFI of a Surface Pro 4 has been configured to use DHCP. However, when the Surface Pro 4 is restarted, it still prompts for a BitLocker PIN.
When testing another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure, the device restarts as expected, without prompting for the BitLocker PIN. This test confirms that the infrastructure is correctly configured, and the issue is specific to the device.
### Cause of BitLocker Network Unlock not working on Surface Pro 4
The UEFI network stack on the device is incorrectly configured.
### Resolution for BitLocker Network Unlock not working on Surface Pro 4
To correctly configure the UEFI network stack of the Surface Pro 4, the Microsoft Surface Enterprise Management Mode (SEMM) needs to be used. For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
> [!NOTE]
> If SEMM can't be used, the Surface Pro 4 may be able to use BitLocker Network Unlock by configuring the Surface Pro 4 to use the network as its first boot option.
## Unable to use BitLocker Network Unlock feature on a Windows client computer
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). A Windows 8 client computer is connected to the internal network with an ethernet cable. However, when the device is restarted, the device still prompts for the BitLocker PIN.
### Cause of unable to use BitLocker Network Unlock feature on a Windows client computer
A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the BitLocker Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker Network Unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages. After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
### Resolution for unable to use BitLocker Network Unlock feature on a Windows client computer
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

369
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -1,369 +0,0 @@
---
title: BitLocker recovery known issues
description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
## Windows prompts for a non-existing BitLocker recovery password
Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured.
### Resolution for Windows prompts for a non-existing BitLocker recovery password
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
## The recovery password for a laptop wasn't backed up, and the laptop is locked
Consider the following scenario:
The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password.
### Resolution for the recovery password for a laptop wasn't backed up
You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider).
- In an elevated Command Prompt window, use the [manage-bde.exe](/windows-server/administration/windows-commands/manage-bde) command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -adbackup C:
```
> [!NOTE]
> BitLocker does not automatically manage this backup process.
## Tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
Consider the following scenario:
BitLocker recovery needs to be tested on a tablet or slate device by running the following command:
```cmd
manage-bde.exe -forcerecovery
```
However, after entering the recovery password, the device can't start.
### Cause of tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
> [!IMPORTANT]
> Tablet devices do not support the **`manage-bde.exe -forcerecovery`** command.
This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **`manage-bde.exe -forcerecovery`** command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
### Workaround for tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
2. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
3. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password>
manage-bde.exe -protectors -disable C:
```
4. Close the Command Prompt window.
5. Shut down the device.
6. Start the device. Windows should start as usual.
## After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
Consider the following scenario:
A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed.
You experience one or more of the following symptoms on the Surface device:
- At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up.
- Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings.
- The Surface device appears to be in an infinite restart loop.
### Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the [About the Platform Configuration Register (PCR)](bitlocker-group-policy-settings.md#about-the-platform-configuration-register-pcr) section of the [BitLocker Group Policy Settings](bitlocker-group-policy-settings.md) article.
### Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -get <OSDriveLetter>:
```
In this command, *\<OSDriveLetter\>* represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps:
#### Step 1: Disable the TPM protectors on the boot drive
If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps:
1. Obtain the BitLocker recovery password from the Surface user's [Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help.
2. Use another computer to download the Surface recovery image from [Surface Recovery Image Download](https://support.microsoft.com/surface-recovery-image). Use the downloaded image to create a USB recovery drive.
3. Insert the USB Surface recovery image drive into the Surface device, and start the device.
4. When prompted, select the following items:
1. The operating system language.
2. The keyboard layout.
5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
6. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde.exe -protectors -disable <DriveLetter>:
```
where:
- *\<Password\>* is the BitLocker recovery password that was obtained in Step 1
- *\<DriveLetter\>* is the drive letter that is assigned to the operating system drive
> [!NOTE]
> For more information about how to use this command, see [manage-bde unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
7. Restart the computer.
8. When prompted, enter the BitLocker recovery password that was obtained in Step 1.
> [!NOTE]
> After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press **Enter**. Follow the steps to encrypt the drive.
#### Step 2: Use Surface BMR to recover data and reset the Surface device
To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive) to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps:
1. At the command prompt, run the following command:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
```
In this command, *\<Password\>* is the BitLocker recovery password that was obtained in Step 1 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive), and \<*DriveLetter*> is the drive letter that is assigned to the operating system drive.
2. After the drive is unlocked, use the **`copy`** or **`xcopy.exe`** command to copy the user data to another drive.
> [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands) article.
3. To reset the device by using a Surface recovery image, follow the instructions in the article [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Restart the device, and then edit the UEFI settings to set the **Secure Boot** option to **Microsoft Only**.
3. Restart the device and sign into Windows.
4. Open an elevated PowerShell window and run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
2. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
3. Run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
> [!IMPORTANT]
> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker) must be used and the **Reboot Count** parameter must be set to either of the following values:
>
> - **2** or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to **2** will cause BitLocker to resume after the device restarts twice.
>
> - **0**: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker) or another mechanism needs to be used to resume BitLocker protection.
To suspend BitLocker while installing TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window and run the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this PowerShell cmdlet, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Install the Surface device driver and firmware updates.
3. After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
<!--
REMOVING THIS STATEMENT SINCE THIS IS NOT NEEDED. BITLOCKER WAS ONLY SUSPENDED. IT WAS NOT DISABLED AND THE DRIVE WAS NEVER DECRYPTED. STEP 3 ABOVE ALREADY RESUMES BITLOCKER SO RE-ENABLING AND/OR REENCRYPTING IS NOT NEEDED.
To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
-->
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO VERSIONS OF WINDOWS 10 THAT HAVE BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## After installing an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device is running Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016 and Hyper-V is enabled. After installing an affected update and restart the device, the device enters BitLocker Recovery mode and error code 0xC0210000 is displayed.
### Workaround
If the device is already in this state, Windows can be successfully started after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from the organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. Solutions that store the BitLocker password could include Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune.
2. On the Recovery screen, press **Enter**. When prompted, enter the recovery password.
3. If the device starts in the (WinRE) and prompts for the recovery password again, select **Skip the drive**.
4. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
5. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock c: -rp <48 digit numerical recovery password separated by "-" in 6 digit group>
manage-bde.exe -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
6. Select **Continue**. Windows should start.
7. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -enable c:
```
> [!IMPORTANT]
> Unless BitLocker is suspended before restarting the device, this issue recurs.
To temporarily suspend BitLocker just before restarting the device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -disable c: -rc 1
```
### Resolution
To resolve this issue, install the appropriate update on the affected device:
- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
-->
## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed:
> Recovery
>
> Your PC/Device needs to be repaired.
> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
>
> Error code 0xc0210000
>
> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
### Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
TPM 1.2 doesn't support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
### Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
To resolve this issue, use one of the following two solutions:
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

126
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -1,126 +0,0 @@
---
title: BitLocker and TPM other known issues
description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker and TPM: other known issues
This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
## Azure AD: Windows Hello for Business and single sign-on don't work
Consider the following scenario:
An Azure Active Directory (Azure AD)-joined client computer can't authenticate correctly. The computer is experiencing one or more of the following symptoms:
- Windows Hello for Business doesn't work
- Conditional access fails
- Single sign-on (SSO) doesn't work
Additionally, in Event Viewer, the computer logs the following Event ID 1026 event under **Windows Logs** > **System**:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
> Date: \<Date and Time>
> Event ID: 1026
> Task Category: None
> Level: Information
> Keywords:
> User: SYSTEM
> Computer: \<Computer name\>
> Description:
> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.
> Error: The TPM is defending against dictionary attacks and is in a time-out period.
> Additional Information: 0x840000
### Cause of Azure AD: Windows Hello for Business and single sign-on don't work
This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.
Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution for Azure AD: Windows Hello for Business and single sign-on don't work
To verify the status of the PRT, use the [dsregcmd.exe /status](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. If the value of the attribute is **No**, it may indicate that the computer couldn't present its certificate for authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (`tpm.msc`) by selecting **Start** and entering **tpm.msc** in the **Search** box.
2. If a notice is displayed to either unlock the TPM or reset the lockout, contact the hardware vendor to determine whether there's a known fix for the issue.
3. If the issue is still not resolved after contacting the hardware vendor, clear and reinitialize the TPM by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
If in Step 2 there's no notice to either unlock the TPM or reset the lockout, review the UEFI firmware/BIOS settings of the computer for any setting that can be used to reset or disable the lockout.
## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
Consider the following scenario:
When trying to open the TPM management console on a Windows computer that uses TPM version 1.2, the following message is displayed:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
> The device that is required by this cryptographic provider is not ready for use.
> TPM Spec version: TPM v1.2
On a different device that is running the same version of Windows, the TPM management console can be opened.
### Cause (suspected) of TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
These symptoms indicate that the TPM has hardware or firmware issues.
### Resolution for TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
To resolve the issue:
- Switch the TPM operating mode from version 1.2 to version 2.0 if the device has this option available.
- If switching the TPM from version 1.2 to version 2.0 doesn't resolve the issue, or if the device doesn't have TPM version 2.0 available, contact the hardware vendor to determine whether there's a UEFI firmware update/BIOS update/TPM update for the device. If there's an update available, install the update to see if it resolves the issue.
- If updating the UEFI firmware/BIOS doesn't resolve the issue, or if there's no update available, consider replacing the device motherboard by contacting the hardware vendor. After the motherboard has been replaced, switch the TPM operating mode from version 1.2 to version 2.0 if this option is available.
> [!WARNING]
> Replacing the motherboard will cause data in the TPM to be lost.
## Devices don't join hybrid Azure AD because of a TPM issue
When trying to join a device to a hybrid Azure AD, the join operation appears to fail.
To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
If the value of **AzureADJoined** is **No**, the join operation failed.
### Causes and resolutions for devices don't join hybrid Azure AD because of a TPM issue
This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events are displayed, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles:
- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering)
- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md)