Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md

@@ -2,8 +2,8 @@
 title: Deploy the latest firmware and drivers for Surface devices (Surface)
 description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
 ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
-ms.reviewer: 
-manager: dansimp
+ms.reviewer: dansimp
+manager: kaushika
 keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
 ms.localizationpriority: medium
 ms.prod: w10
@@ -12,70 +12,94 @@ ms.pagetype: surface, devices
 ms.sitesec: library
 author: dansimp
 ms.audience: itpro
-ms.date: 10/21/2019
+ms.date: 11/25/2019
 ms.author: dansimp
 ms.topic: article
 ---
 
 # Deploy the latest firmware and drivers for Surface devices
-Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. 
 
-## Download MSI files
-To download MSI files, refer to the following Microsoft Support page:
+> **Home users:** This article is only intended for technical support agents and IT professionals. If you're looking for help to install Surface updates or firmware on a home device, please see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505).
 
-- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)<br>
-Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
+Under typical conditions, Windows Update automatically keeps Windows Surface devices up-to-date by downloading and installing the latest device drivers and firmware. However, you may sometimes have to download and install updates manually. For example, you may have to manually manage updates when you deploy a new version of Windows.
+
+## Downloading MSI files
+
+[Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface) provides links to download installation files for the following:
+
+- Administrative tools
+- Drivers for accessories
+- For some devices, updates for Windows
 
 ## Deploying MSI files
-Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
 
-The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book.
+Specific versions of Windows 10 have separate MSI files. Each MSI file contains all required cumulative driver and firmware updates for Surface devices.
 
-To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
+The MSI file names contain useful information, including the minimum supported Windows build number that is required to install the drivers and firmware. For example, to install the drivers that are contained in SurfaceBook_Win10_17763_19.080.2031.0.msi on a Surface Book, the device must be running Windows 10 Fall Creators Update, version 1709 or later.
+
+For more information about build numbers for each Windows version, see [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information).
 
 ### Surface MSI naming convention
-Beginning in August 2019, MSI files use the following naming formula:
 
-- Product > Windows release > Windows build number > Version number >  Revision of version number (typically zero).
+Beginning in August, 2019, MSI files have used the following naming convention:
 
-**Example:**
-SurfacePro6_Win10_18362_19.073.44195_0.msi :
+> *Product*\_*Windows release*\_*Windows build number*\_*Version number*\_*Revision of version number (typically zero)*.
 
-| Product     | Windows release | Build | Version |  Revision of version |
-| --- | --- | --- | --- | --- |
-| SurfacePro6 | Win10  | 18362  | 19.073.44195 | 0  |
-|       |      |       | Indicates key date and sequence information.  | Indicates release history of the update.   |
-|      |        |     | **19:** Signifies the year (2019).<br>**073**: Signifies the month (July) and week of the release (3).  <br>**44195**: Signifies the minute of the month that the MSI file was created. |**0:**  Signifies it's the first release of version 1907344195 and has not been re-released for any reason. |
+**Example**
+
+Consider the following MSI file:
+
+> SurfacePro6_Win10_18362_19.073.44195_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 18362
+- **Version:** 19.073.44195 &ndash; This shows the date and time that the file was created, as follows:
+  - **Year:** 19 (2019)
+  - **Month and week:** 073 (third week of July)
+  - **Minute of the month:** 44195
+- **Revision of version:** 0 (first release of this version)
 
 ### Legacy Surface MSI naming convention
-Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number.  
 
-**Example:**
-SurfacePro6_Win10_16299_1900307_0.msi :
+Legacy MSI files (files that were built before August, 2019) followed the same overall naming formula, but used a different method to derive the version number.  
 
-| Product     | Windows release | Build | Version |  Revision of version |
-| --- | --- | --- | --- | --- |
-| SurfacePro6 | Win10  | 16299  | 1900307 | 0  |
-|       |      |       | Indicates key date and sequence information.  | Indicates release history of the MSI file.   |
-|      |        |     | **19:** Signifies the year (2019)<br>**003**: Signifies that it’s the third release of 2019.<br>**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. |
+**Example**
 
-Look to the **version** number to determine the latest files that contain the most recent security updates.  For example, you might need to install the newest file from the following list:
+Consider the following MSI file:
 
+> SurfacePro6_Win10_16299_1900307_0.msi
+
+This file name provides the following information:
+
+- **Product:** SurfacePro6
+- **Windows release:** Win10
+- **Build:** 16299
+- **Version:** 1900307 &ndash; This shows the date that the file was created and its position in the release sequence, as follows:
+  - **Year:** 19 (2019)
+  - **Number of release:** 003 (third release of the year)
+  - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
+- **Revision of version:** 0 (first release of this version)
+
+Use the **version** number to determine the latest files that contain the most recent security updates. For example, consider the following list:
 
 - SurfacePro6_Win10_16299_1900307_0.msi
 - SurfacePro6_Win10_17134_1808507_3.msi
 - SurfacePro6_Win10_17763_1808707_3.msi
 
-The first file —  SurfacePro6_Win10_16299_1900307_0.msi  —  is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
+In this list, the newest file is the first file (SurfacePro6_Win10_16299_1900307_0.msi). Its **Version** field has the newest date (2019). The other files are from 2018.
 
 ## Supported devices
-Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. 
+
+For downloadable MSI files for devices that run Surface Pro 2 and later versions, see [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). This article contains information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3, as they are released.  
 
 > [!NOTE]  
->There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
+> There are no downloadable firmware or driver updates available for Surface devices that run Windows RT, including Surface RT and Surface 2. To update these devices, use Windows Update.
 
-For more information about deploying Surface drivers and firmware, refer to:
+For more information about how to deploy Surface drivers and firmware, see the following articles:
 
 - [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
 
-- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)
+- [Surface for Business help](https://www.microsoft.com/surface/support/business)

windows/security/identity-protection/TOC.md

@@ -1,5 +1,7 @@
 # [Identity and access management](index.md)
 
+## [Technical support policy for lost or forgotten passwords](password-support-policy.md)
+
 ## [Access Control Overview](access-control/access-control.md)
 ### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
 ### [Security identifiers](access-control/security-identifiers.md)

windows/security/identity-protection/index.md

@@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10 and
 
 | Section | Description |
 |-|-|
+| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
 | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
 | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
 | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |

windows/security/identity-protection/password-support-policy.md

@@ -0,0 +1,58 @@
+---
+title: Technical support policy for lost or forgotten passwords
+description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
+ms.reviewer: kaushika
+manager: kaushika
+ms.custom:
+- CI ID 110060
+- CSSTroubleshoot 
+ms.author: v-tea
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: security
+author: Teresa-Motiv
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 11/20/2019
+audience: ITPro
+---
+
+# Technical support policy for lost or forgotten passwords
+
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+
+If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
+
+## How to reset a password for a domain account
+
+If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
+
+## How to reset a password for a Microsoft account
+
+If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
+
+This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
+
+## How to reset a password for a local account on a Windows device
+
+Local accounts on a device include the device's Administrator account.
+
+### Windows 10
+
+If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
+
+### Windows 8.1 or Windows 7
+
+If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
+
+## How to reset a hardware BIOS password
+
+If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
+
+## How to reset a password for an individual file
+
+Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
+
+## Using third-party password tools
+
+Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.

windows/security/information-protection/TOC.md

@@ -24,6 +24,17 @@
 ### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
 ### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
 ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
+### Troubleshoot BitLocker
+#### [Troubleshoot BitLocker](bitlocker\troubleshoot-bitlocker.md)
+#### [BitLocker cannot encrypt a drive: known issues](bitlocker\ts-bitlocker-cannot-encrypt-issues.md)
+#### [Enforcing BitLocker policies by using Intune: known issues](bitlocker\ts-bitlocker-intune-issues.md)
+#### [BitLocker Network Unlock: known issues](bitlocker\ts-bitlocker-network-unlock-issues.md)
+#### [BitLocker recovery: known issues](bitlocker\ts-bitlocker-recovery-issues.md)
+#### [BitLocker configuration: known issues](bitlocker\ts-bitlocker-config-issues.md)
+#### Troubleshoot BitLocker and TPM issues
+##### [BitLocker cannot encrypt a drive: known TPM issues](bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md)
+##### [BitLocker and TPM: other known issues](bitlocker\ts-bitlocker-tpm-issues.md)
+##### [Decode Measured Boot logs to track PCR changes](bitlocker\ts-bitlocker-decode-measured-boot-logs.md)
 
 ## [Encrypted Hard Drive](encrypted-hard-drive.md)
 

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -93,6 +93,7 @@ When installing the BitLocker optional component on a server you will also need
 | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| 
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
+| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
 

windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md

@@ -0,0 +1,136 @@
+---
+title: Guidelines for troubleshooting BitLocker
+description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# Guidelines for troubleshooting BitLocker
+
+This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides pointers to start the troubleshooting process, including what data to collect and what settings to check in order to narrow down the location in which these issues occur.
+
+## Review the event logs
+
+Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
+
+- **BitLocker-API**. Review the Management log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+   - Microsoft-Windows-BitLocker/BitLocker Operational
+   - Microsoft-Windows-BitLocker/BitLocker Management
+
+- **BitLocker-DrivePreparationTool**. Review the Admin log,  the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
+   - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
+   - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
+
+Additionally, review the Windows logs\\System log for events that were produced by the TCM and TCM-WMI event sources.
+
+To filter and display or export logs, you can use the [wevtutil.exe](https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](https://docs.microsoft.com/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6) cmdlet.
+
+For example, to use wevtutil to export the contents of the Operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run a command that resembles the following:
+
+```cmd
+wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
+```
+
+To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run a command that resembles the following:
+
+```ps
+Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
+```
+
+You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the System or Application log by using syntax that resembles the following:
+
+- To display BitLocker-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
+   ```
+
+   The output of such a command resembles the following.
+
+   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
+
+- To export BitLocker-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
+   ```
+
+- To display TPM-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
+   ```
+
+- To export TPM-related information:
+   ```ps
+   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
+   ```
+
+   The output of such a command resembles the following.
+
+   ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
+
+> [!NOTE]
+> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
+
+## Gather status information from the BitLocker technologies
+
+Open an elevated Windows PowerShell window, and run each of the following commands.
+
+|Command |Notes |
+| - | - |
+|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
+|[**manage-bde –status \> C:\\BDEStatus.txt**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
+|[**manage-bde c: <br />-protectors -get \>&nbsp;C:\\Protectors**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key.  |
+|[**reagentc&nbsp;/info&nbsp;\>&nbsp;C:\\reagent.txt**](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
+|[**get-BitLockerVolume \| fl**](https://docs.microsoft.com/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
+
+## Review the configuration information
+
+1. Open an elevated Command Prompt window, and run the following commands.
+
+   |Command |Notes |
+   | - | - |
+   |[**gpresult /h \<Filename>**](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. |
+   |[**msinfo /report \<Path> /computer&nbsp;\<ComputerName>**](https://docs.microsoft.com/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |
+
+1. Open Registry Editor, and export the entries in the following subkeys:
+
+   - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
+   - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
+
+## Check the BitLocker prerequisites
+
+Common settings that can cause issues for BitLocker include the following:
+
+- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
+- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE.
+- The system reserved partition must use the correct format.
+  - On Unified Extensible Firmware Interface (UEFI) computers, the system reserved partition must be formatted as FAT32.
+  - On legacy computers, the system reserved partition must be formatted as NTFS.
+- If the device that you are troubleshooting is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
+
+For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
+
+## Next steps
+
+If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix.
+
+Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered can help you narrow down the areas to investigate.
+
+- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
+- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
+- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
+- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
+- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
+- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
+- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
+
+We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue.

windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md

@@ -0,0 +1,103 @@
+---
+title: BitLocker cannot encrypt a drive  known issues
+description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# BitLocker cannot encrypt a drive: known issues
+
+This article describes common issues that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+
+> [!NOTE]
+> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
+
+## Error 0x80310059: BitLocker Drive Encryption is already performing an operation on this drive
+
+When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
+
+> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
+
+### Cause
+
+This issue may be caused by settings that are controlled by Group Policy Objects (GPOs).
+
+### Resolution
+
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
+
+To resolve this issue, follow these steps:
+
+1. Start Registry Editor, and navigate to the following subkey:
+   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
+
+1. Delete the following entries:
+   - **OSPlatformValidation\_BIOS**
+   - **OSPlatformValidation\_UEFI**
+   - **PlatformValidation**
+
+1. Exit Registry Editor, and turn on BitLocker Drive Encryption again.
+
+## "Access is denied" message when you try to encrypt removable drives
+
+You have a computer that is running Windows 10, version 1709 or version 1607. You try to encrypt a USB drive by following these steps:
+
+1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
+1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
+1. Follow the instructions on the page to enter your password.
+1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
+1. The **Starting encryption** page displays the message "Access is denied."
+
+You receive this message on any computer that runs Windows 10 version 1709 or version 1607, when you use any USB drive.
+
+### Cause
+
+The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
+
+To verify that this issue has occurred, follow these steps:
+
+1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
+
+1. At the command prompt, enter the following command:
+
+   ```cmd
+   C:\>sc sdshow bdesvc
+   ```
+
+   The output of this command resembles the following:
+
+   > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+
+1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
+
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
+
+   If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
+
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
+
+> [!NOTE]
+> GPOs that change the security descriptors of services have been known to cause this issue.
+
+### Resolution
+
+1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
+
+   ```ps
+   sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+   ```
+
+1. Restart the computer.
+
+The issue should now be resolved.

windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md

@@ -0,0 +1,129 @@
+---
+title: BitLocker cannot encrypt a drive known TPM issues 
+description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker cannot encrypt a drive: known TPM issues
+
+This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
+
+> [!NOTE]
+> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
+
+## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
+
+When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+
+### Cause
+
+The TPM is locked out.
+
+### Resolution
+
+To resolve this issue, follow these steps:
+
+1. Open an elevated PowerShell window and run the following script:
+
+   ```ps
+   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
+   ```
+
+1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
+1. Try again to start BitLocker Drive Encryption.
+
+## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
+
+You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
+
+### Cause
+
+The TPM is locked out.
+
+### Resolution
+
+To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
+
+1. Restart the device, and change the BIOS configuration to disable the TPM.
+1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following:
+   > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
+
+1. Restart the device, and change the BIOS configuration to enable the TPM.
+1. Restart the device, and return to the TPM management console.
+
+If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
+
+> [!WARNING]
+> Clearing the TPM can cause data loss.  
+
+## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
+
+You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
+
+### Cause
+
+The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
+
+This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
+
+### Resolution  
+
+To verify that you have correctly identified this issue, use one of the following methods:
+
+- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed.
+- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
+
+1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
+
+   ```ps
+   Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
+   ```
+
+   In this command, *ComputerName* is the name of the affected computer.
+
+1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
+
+## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
+
+Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.  
+
+You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
+
+> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
+
+You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
+
+### Cause
+
+The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set.
+
+### Resolution
+
+To resolve this issue, follow these steps:
+
+1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
+1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
+1. In the script, modify the value of **strPathToDomain** to your domain name.
+1. Open an elevated PowerShell window, and run the following command:
+
+   ```ps
+   cscript <Path>Add-TPMSelfWriteACE.vbs
+   ```
+   
+   In this command \<*Path*> is the path to the script file.
+
+For more information, see the following articles:
+
+- [Back up the TPM recovery information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
+- [Prepare your organization for BitLocker: Planning and policies](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)

windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md

@@ -0,0 +1,182 @@
+---
+title: BitLocker configuration known issues
+description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# BitLocker configuration: known issues
+
+This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues.
+
+## BitLocker encryption is slower in Windows 10
+
+In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
+
+To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*.
+
+> [!IMPORTANT]
+> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
+
+### Benefits of using the new conversion model
+
+By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began—that is, potentially compromised data—can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial.
+
+By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
+
+### Other BitLocker enhancements
+
+After Windows 7 was released, several other areas of BitLocker were improved:
+
+- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
+
+   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
+
+- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
+   -  BitLocker Wizard
+   - manage-bde
+   - Group Policy Objects (GPOs)
+   - Mobile Device Management (MDM) policy
+   - Windows PowerShell
+   - Windows Management Interface (WMI)
+
+- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
+
+- **[Direct memory access (DMA) Port Protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
+
+- **[BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
+
+- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
+
+- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
+
+## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
+
+Consider the following scenario:
+
+1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V.
+1. You add data to the data disk as it encrypts.
+1. You restart the VM, and observe the following:
+   - The system volume is not encrypted.
+   - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
+   - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
+
+### Cause
+
+This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM.
+
+### Resolution
+
+To resolve this issue, remove the third-party software.
+
+## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
+
+You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
+
+This issue occurs regardless of any of the following variations in the environment:
+
+- How the domain controller volumes are unlocked.
+- Whether the VMs are generation 1 or generation 2.
+- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
+
+In the domain controller Application log, the VSS event source records event ID 8229:
+
+> ID: 8229  
+> Level: Warning  
+> ‎Source: VSS  
+> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
+>  
+> Changes that the writer made to the writer components while handling the event will not be available to the requester.  
+>  
+> Check the event log for related events from the application hosting the VSS writer.  
+>  
+> Operation:  
+> PostSnapshot Event
+>  
+> Context:  
+> Execution Context: Writer
+> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> Writer Name: NTDS  
+> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
+> Command Line: C:\\Windows\\system32\\lsass.exe
+>  
+> Process ID: 680  
+
+In the domain controller Directory Services event log, you see an event that resembles the following:
+
+> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168  
+> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
+>  
+>‎ &nbsp;Additional Data  
+> ‎&nbsp;&nbsp;Error value (decimal):  -1022  
+>  
+> Error value (hex): fffffc02  
+>  
+> Internal ID: 160207d9  
+
+> [!NOTE]
+> The internal ID of this event may differ based on your operating system release and path level.
+
+After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:  
+
+> Writer name: 'NTDS'  
+> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}  
+> &nbsp;&nbsp;State: \[11\] Failed  
+> &nbsp;&nbsp;Last error: Non-retryable error  
+
+Additionally, you cannot back up the VMs until you restart them.
+
+### Cause
+
+After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
+
+This behavior is by design.
+
+### Workaround
+
+There is one supported way to perform backup and restore of a virtualized domain controller:
+
+- Run Windows Server Backup in the guest operating system.
+
+If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
+
+For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
+
+### More information
+
+When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
+
+```
+\# for hex 0xc0210000 / decimal -1071579136
+‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
+‎ \# This volume is locked by BitLocker Drive Encryption.
+```
+
+The operation produces the following call stack:
+
+```
+\# Child-SP RetAddr Call Site
+‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
+‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
+‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
+‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
+‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
+‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
+‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
+‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
+‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
+‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
+‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
+‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
+```

windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md

@@ -0,0 +1,113 @@
+---
+title: Decode Measured Boot logs to track PCR changes
+description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/17/2019
+---
+
+# Decode Measured Boot logs to track PCR changes
+
+Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.  
+
+By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder.
+
+This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
+
+For more information about Measured Boot and PCRs, see the following articles:
+
+- [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)  
+- [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
+
+## Use TBSLogGenerator to decode Measured Boot logs
+
+Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems:
+
+- A computer that is running Windows Server 2016 and that has a TPM enabled
+- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
+
+To install the tool, follow these steps:
+
+1. Download the Windows Hardware Lab Kit from one of the following locations:
+
+   - [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/)
+   - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
+
+1. Accept the default installation path.
+
+   ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
+
+1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
+
+   ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
+
+1. Finish the installation.
+
+To use TBSLogGenerator, follow these steps:
+
+1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:  
+   **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
+
+   This folder contains the TBSLogGenerator.exe file.
+
+   ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
+
+1. Run the following command:
+   ```cmd
+   TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
+   ```
+   where the variables represent the following values:
+   - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
+   - \<*LogFileName*> = the name of the file to be decoded
+   - \<*DestinationFolderName*> = the name of the folder for the decoded text file
+   - \<*DecodedFileName*> = the name of the decoded text file
+
+   For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
+
+    ```cmd
+    TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
+    ```
+
+   ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
+
+   The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
+
+   ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
+
+The content of this text file resembles the following.
+
+![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
+
+To find the PCR information, go to the end of the file.
+
+   ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
+
+## Use PCPTool to decode Measured Boot logs
+
+PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
+
+To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
+
+To decode a log, run the following command:
+```cmd
+PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
+```  
+
+where the variables represent the following values:
+- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
+- \<*LogFileName*> = the name of the file to be decoded
+- \<*DestinationFolderName*> = the name of the folder for the decoded text file
+- \<*DecodedFileName*> = the name of the decoded text file
+
+The content of the XML file resembles the following.
+
+![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)

windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md

@@ -0,0 +1,346 @@
+---
+title: Enforcing BitLocker policies by using Intune  known issues
+description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# Enforcing BitLocker policies by using Intune: known issues
+
+This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
+
+![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
+
+To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
+
+- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1)
+- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2)
+- [Event ID 854: WinRE is not configured](#issue-3)
+- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4)
+- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6)
+- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7)
+- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5)
+
+If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following:
+
+- [Review the hardware requirements for using Intune to manage BitLocker on devices](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
+- [Review your BitLocker policy configuration](#policy)
+
+For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
+
+## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
+
+Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
+
+![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
+
+### Cause
+
+The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM.
+
+### Resolution
+
+To resolve this issue, verify the following:
+
+- The TPM is enabled in the device BIOS.  
+- The TPM status in the TPM management console resembles the following:
+   - Ready (TPM 2.0)
+   - Initialized (TPM 1.2)
+
+For more information, see [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm).
+
+## <a id="issue-2"></a>Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
+
+In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
+
+![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
+
+### Cause
+
+During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
+
+To avoid this situation, the provisioning process stops if it detects removable bootable media.
+
+### Resolution
+
+Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
+
+## <a id="issue-3"></a>Event ID 854: WinRE is not configured
+
+The event information resembles the following:
+
+> Failed to enable Silent Encryption. WinRe is not configured.
+>  
+> Error: This PC cannot support device encryption because WinRE is not properly configured.
+
+### Cause
+
+Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
+
+The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
+
+If WinRE is not available on the device, provisioning stops.
+
+### Resolution
+
+You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps.
+
+#### Step 1: Verify the configuration of the disk partitions
+
+The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
+
+![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
+
+To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
+
+```
+diskpart 
+list volume
+```
+![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
+
+If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager).
+
+![Windows image configuration in System Center Configuration Manager](./images/sccm-imageconfig.jpg)
+
+#### Step 2: Verify the status of WinRE
+
+To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
+
+```cmd
+reagentc /info
+```
+The output of this command resembles the following.
+
+![Output of the reagentc /info command](./images/4509193-en-1.png)
+
+If the **Windows RE status** is not **Enabled**, run the following command to enable it:
+
+```cmd
+reagentc /enable
+```
+
+#### Step 3: Verify the Windows Boot Loader configuration
+
+If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
+
+```cmd
+bcdedit /enum all
+```
+
+The output of this command resembles the following.
+
+![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
+
+In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
+
+## <a id="issue-4"></a>Event ID 851: Contact the manufacturer for BIOS upgrade instructions
+
+The event information resembles the following:
+
+> Failed to enable Silent Encryption.
+>  
+> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
+
+### Cause
+
+The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS.
+
+### Resolution
+
+To verify the BIOS mode, use the System Information app. To do this, follow these steps:
+
+1. Select **Start**, and enter **msinfo32** in the **Search** box.
+1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
+   ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
+1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
+   > [!NOTE]
+   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
+
+## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
+
+You receive an error message that resembles the following:
+
+> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client.
+
+### Cause
+
+A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on.
+
+### Resolution
+
+You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps:
+
+#### Step 1: Verify the PCR validation profile of the TPM
+
+To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
+
+```cmd
+Manage-bde -protectors -get %systemdrive%
+```
+
+In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
+
+![Output of the manage-bde command](./images/4509199-en-1.png)
+
+If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
+
+![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
+
+#### 2. Verify the Secure Boot state
+
+To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
+
+1. Select **Start**, and enter **msinfo32** in the **Search** box.
+1. Verify that the **Secure Boot State** setting is **On**, as follows:  
+   ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
+1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
+   ![System Information app, showing a supported Secure Boot State](./images/4509202-en-1.png)
+
+> [!NOTE]
+> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
+> ```ps
+> PS C:\> Confirm-SecureBootUEFI
+> ```
+> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."  
+>  
+> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."  
+>  
+> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."  
+
+## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a
+
+In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
+
+The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
+
+> Event ID:846
+> 
+> Event:
+> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
+> 
+> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
+> Error: Unknown HResult Error code: 0x80072f9a
+
+> Event ID:778
+> 
+> Event: The BitLocker volume C: was reverted to an unprotected state.
+
+> Event ID: 851
+> 
+> Event:
+> Failed to enable Silent Encryption.
+> 
+> Error: Unknown HResult Error code: 0x80072f9a.
+
+These events refer to Error code 0x80072f9a.
+
+### Cause
+
+These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
+
+The issue affects Windows 10 version 1809.
+
+### Resolution
+
+To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
+
+## <a id="issue-5"></a>Error message: There are conflicting Group Policy settings for recovery options on operating system drives
+
+You receive a message that resembles the following:
+
+> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
+
+### Resolution
+
+To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
+
+For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN).
+
+## <a id="policy"></a>Review your BitLocker policy configuration
+
+For information about how to use policy together with BitLocker and Intune, see the following resources:
+
+- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-devices-joined-to-azure-active-directory)
+- [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN)
+- [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
+- [Policy CSP &ndash; BitLocker](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bitlocker)
+- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+- [Enable ADMX-backed policies in MDM](https://docs.microsoft.com/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
+- [gpresult](https://docs.microsoft.com/windows-server/administration/windows-commands/gpresult)
+
+Intune offers the following enforcement types for BitLocker:
+
+- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
+- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
+- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
+
+If your device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
+
+If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
+
+![Intune policy settings](./images/4509186-en-1.png)
+
+The OMA-URI references for these settings are as follows:
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**  
+   Value Type: **Integer**  
+   Value: **1**  (1 = Require, 0 = Not Configured)
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**  
+   Value Type: **Integer**  
+   Value: **0** (0 = Blocked, 1 = Allowed)  
+
+> [!NOTE]
+> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
+
+> [!NOTE]
+> If the **Waiting for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard.  
+
+If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  
+
+The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
+
+- Be HSTI-compliant
+- Support Modern Standby
+- Use Windows 10 version 1803 or later
+
+![Intune policy setting](./images/4509188-en-1.png)
+
+The OMA-URI references for these settings are as follows:
+
+- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**  
+   Value Type: **Integer**
+   Value: **1**  
+
+> [!NOTE]
+> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles.
+
+## Verifying that BitLocker is operating correctly
+
+During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
+
+![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
+
+![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
+
+You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
+
+![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
+
+On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
+
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**  
+
+![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)

windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md

@@ -0,0 +1,87 @@
+---
+title: BitLocker Network Unlock known issues
+description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/7/2019
+---
+# BitLocker Network Unlock: known issues
+
+By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements:
+
+- Each computer belongs to a domain
+- Each computer has a wired connection to the corporate network
+- The corporate network uses DHCP to manage IP addresses
+- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware
+
+For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock).
+
+This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues.
+
+## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer
+
+You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands.
+
+1. Open an elevated Command Prompt window and run the following command:
+
+   ```cmd
+   manage-bde protectors get <Drive>
+   ```
+
+   where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
+   If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
+
+1. Start Registry Editor, and verify the following settings:
+   - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
+   - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1.
+
+## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured
+
+You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.  
+
+You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
+
+### Cause
+
+The UEFI network stack on the device was incorrectly configured.
+
+### Resolution
+
+To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm).
+
+> [!NOTE]
+> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option.
+
+## Unable to use BitLocker Network Unlock feature on a Windows client computer
+
+You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.  
+
+### Cause
+
+A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
+
+DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
+
+The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
+
+- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.  
+- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request.
+
+A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
+
+If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
+
+For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence)
+
+### Resolution
+
+To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md

@@ -0,0 +1,290 @@
+---
+title: BitLocker recovery known issues
+description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker recovery: known issues
+
+This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
+
+> [!NOTE]
+> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors).
+
+## Windows 10 prompts for a non-existing BitLocker recovery password
+
+Windows 10 prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password.
+
+### Resolution
+
+The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
+
+- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
+- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
+
+## The recovery password for a laptop was not backed up, and the laptop is locked
+
+You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
+
+### Resolution
+
+You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
+
+- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](https://docs.microsoft.com/windows/win32/secprov/bitlocker-drive-encryption-provider).
+
+- In an elevated Command Prompt window, use the [manage-bde](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde) command to back up the information.
+
+   For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
+
+   ```cmd
+   manage-bde -protectors -adbackup C:
+   ```
+
+> [!NOTE]
+> BitLocker does not automatically manage this backup process.  
+
+## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
+
+You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
+
+```cmd
+Manage-bde -forcerecovery
+```
+
+However, after you enter the recovery password, the device cannot start.
+
+### Cause
+
+> [!IMPORTANT]
+> Tablet devices do not support the **manage-bde -forcerecovery** command.
+
+This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
+
+If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
+
+This behavior is by design for all versions of Windows.
+
+### Workaround
+
+To resolve the restart loop, follow these steps:
+
+1. On the BitLocker Recovery screen, select **Skip this drive**.
+1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
+1. In the Command Prompt window, run the following commands :
+   ```cmd
+   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
+   manage-bde -protectors -disable C:
+   ```
+1. Close the Command Prompt window.
+1. Shut down the device.
+1. Start the device. Windows should start as usual.
+
+## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
+
+You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
+
+You experience one or more of the following symptoms on the Surface device:
+
+- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up.
+- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
+- The Surface device appears to be in an infinite restart loop.
+
+### Cause
+
+This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
+
+- Secure Boot is turned off.
+- PCR values have been explicitly defined, such as by Group Policy.
+
+Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
+
+### Resolution
+
+To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
+
+```cmd
+manage-bde.exe -protectors -get <OSDriveLetter>:
+```
+
+In this command, &lt;*OSDriveLetter*&gt; represents the drive letter of the operating system drive.  
+
+To resolve this issue and repair the device, follow these steps.
+
+#### <a id="step-1"></a>Step 1: Disable the TPM protectors on the boot drive
+
+If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
+
+To do this, follow these steps:
+
+1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
+1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
+1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
+1. When you are prompted, select the following items:
+   1. Your operating system language.
+   1. Your keyboard layout.
+1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
+1. In the Command Prompt window, run the following commands:  
+   ```cmd
+   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
+   manage-bde -protectors -disable <DriveLetter>:  
+   ```
+   In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+   > [!NOTE]
+   > For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock).
+1. Restart the computer.
+1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
+
+> [!NOTE]
+> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+
+#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
+
+To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
+
+1. At the command prompt, run the following command:  
+   ```cmd
+   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
+   ```
+   In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  
+   > [!NOTE]
+   > For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands).
+  
+1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
+
+#### Step 3: Restore the default PCR values
+
+To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
+
+To enable Secure Boot on a Surface device, follow these steps:
+
+1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
+   ```
+   In this command, <*DriveLetter*> is the letter that is assigned to your drive.
+1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
+1. Restart the device.
+1. Open an elevated PowerShell window, and run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint "<DriveLetter>:"
+   ```
+
+To reset the PCR settings on the TPM, follow these steps:
+
+1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
+   For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings).
+1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
+   ```
+   
+   where <*DriveLetter*> is the letter assigned to your drive.
+1. Run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint "<DriveLetter>:"
+
+#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
+
+You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
+
+> [!IMPORTANT]
+> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values:
+> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
+> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection.
+
+To suspend BitLocker while you install TPM or UEFI firmware updates:
+
+1. Open an elevated Windows PowerShell window, and run the following cmdlet:
+   ```ps
+   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
+   ```
+   In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
+1. Install the Surface device driver and firmware updates.
+1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:  
+   ```ps
+   Resume-BitLocker -MountPoint "<DriveLetter>:"
+   ```
+
+To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+
+## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
+
+You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
+
+### Workaround
+
+If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
+
+1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
+1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
+1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
+1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
+1. In the Command Prompt window, run the following commands:
+   ```cmd
+   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
+   Manage-bde -protectors -disable c:
+   exit
+   ```
+   
+   These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
+   > [!NOTE]
+   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
+1. Select **Continue**. Windows should start.
+1. After Windows has started, open an elevated Command Prompt window and run the following command:
+   ```cmd
+   Manage-bde -protectors -enable c:
+   ```
+
+> [!IMPORTANT]
+> Unless you suspend BitLocker before you start the device, this issue recurs.
+
+To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
+
+```cmd
+Manage-bde -protectors -disable c: -rc 1
+```
+
+### Resolution
+
+To resolve this issue, install the appropriate update on the affected device:  
+
+- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
+- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
+
+## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
+
+You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.
+
+> Recovery
+> 
+> Your PC/Device needs to be repaired.
+> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
+>  
+> Error code 0xc0210000
+>  
+> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
+
+### Cause
+
+TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines)
+
+For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows)
+
+### Resolution
+
+To resolve this issue, do one of the following:
+
+- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
+- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md

@@ -0,0 +1,113 @@
+---
+title: BitLocker and TPM other known issues
+description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
+ms.reviewer: kaushika
+ms.technology: windows
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: Windows Security Technologies\BitLocker
+ms.topic: troubleshooting
+ms.date: 10/18/2019
+---
+
+# BitLocker and TPM: other known issues
+
+This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
+
+## Azure AD: Windows Hello for Business and single sign-on do not work
+
+You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
+
+- Windows Hello for Business does not work.
+- Conditional access fails.
+- Single sign-on (SSO) does not work.
+
+Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
+
+> Log Name: System  
+> Source: Microsoft-Windows-TPM-WMI  
+> Date: \<Date and Time>  
+> Event ID: 1026  
+> Task Category: None  
+> Level: Information  
+> Keywords:  
+> User: SYSTEM  
+> Computer: \<Computer name\>  
+> Description:  
+> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
+> Error: The TPM is defending against dictionary attacks and is in a time-out period.  
+> Additional Information: 0x840000  
+
+### Cause
+
+This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.  
+
+Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token).  
+
+### Resolution
+
+To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
+
+To resolve this issue, follow these steps to troubleshoot the TPM:
+
+1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
+1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.  
+1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
+1. Contact the hardware vendor to determine whether there is a known fix for the issue.
+1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
+   > [!WARNING]
+   > Clearing the TPM can cause data loss.  
+
+## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
+
+You have a Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
+
+> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.  
+> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY  
+> The device that is required by this cryptographic provider is not ready for use.  
+> TPM Spec version: TPM v1.2  
+
+On a different device that is running the same version of Windows, you can open the TPM management console.
+
+### Cause (suspected)
+
+These symptoms indicate that the TPM has hardware or firmware issues.
+
+### Resolution
+
+To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.  
+
+If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
+
+## Devices do not join hybrid Azure AD because of a TPM issue
+
+You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
+
+To verify that the join succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
+
+- **AzureAdJoined: YES**
+- **DomainName: \<*on-prem Domain name*\>**
+
+If the value of **AzureADJoined** is **No**, the join failed.  
+
+### Causes and Resolutions
+
+This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
+
+|Message |Reason | Resolution|
+| - | - | - |
+|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
+|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
+
+For more information about TPM issues, see the following articles:
+
+- [TPM fundamentals: Anti-hammering](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
+- [Troubleshooting hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
+- [Troubleshoot the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)

windows/security/information-protection/windows-information-protection/wip-learning.md

@@ -1,6 +1,5 @@
 ---
-title: 
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
+title: Fine-tune Windows Information Policy (WIP) with WIP Learning
 description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
 ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
 ms.reviewer: 

windows/security/threat-protection/intelligence/criteria.md

@@ -2,7 +2,7 @@
 title: How Microsoft identifies malware and potentially unwanted applications
 ms.reviewer: 
 description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications.
-keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications
+keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
@@ -18,33 +18,31 @@ search.appverid: met150
 
 # How Microsoft identifies malware and potentially unwanted applications
 
-Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices.
+Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article.
 
-Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article.
-
-You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions.
+You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions.
 
 Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
 
 ## Malware
 
-Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
+Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
 
 ### Malicious software
 
-Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities.
+Malicious software is an application or code that compromises user security. Malicious software may steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.
 
 Microsoft classifies most malicious software into one of the following categories:
 
-* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC.
+* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your device.
 
-* **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files.
+* **Downloader:** A type of malware that downloads other malware onto your device. It must connect to the internet to download files.
 
-* **Dropper:** A type of malware that installs other malware files onto your PC. Unlike a downloader, a dropper doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
+* **Dropper:** A type of malware that installs other malware files onto your device. Unlike a downloader, a dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
 
-* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
+* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
 
-* **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC.
+* **Hacktool:** A type of tool that can be used to gain unauthorized access to your device.
 
 * **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
 
@@ -52,23 +50,23 @@ Microsoft classifies most malicious software into one of the following categorie
 
 * **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
 
-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md).
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
 
-* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services.
+* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.
 
-* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC.
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device.
 
-* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC.
+* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.
 
-* **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
+* **Worm:** A type of malware that spreads to other devices. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
 
 ### Unwanted software
 
-Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
 
 #### Lack of choice
 
-You must be notified about what is happening on your PC, including what software does and whether it is active.
+You must be notified about what is happening on your device, including what software does and whether it is active.
 
 Software that exhibits lack of choice might:
 
@@ -84,13 +82,13 @@ Software that exhibits lack of choice might:
 
 * Falsely claim to be software from Microsoft.
 
-Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
 
-* Display exaggerated claims about your PC’s health.
+* Display exaggerated claims about your device’s health.
 
-* Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
+* Make misleading or inaccurate claims about files, registry entries, or other items on your device.
 
-* Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues.
+* Display claims in an alarming manner about your device's health and require payment or certain actions in exchange for fixing the purported issues.
 
 Software that stores or transmits your activities or data must:
 
@@ -98,7 +96,7 @@ Software that stores or transmits your activities or data must:
 
 #### Lack of control
 
-You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software.
+You must be able to control software on your device. You must be able to start, stop, or otherwise revoke authorization to software.
 
 Software that exhibits lack of control might:
 
@@ -110,7 +108,7 @@ Software that exhibits lack of control might:
 
 * Modify or manipulate webpage content without your consent.
 
-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified.
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified.
 
 #### Installation and removal
 
@@ -120,7 +118,7 @@ Software that delivers *poor installation experience* might bundle or download o
 
 Software that delivers *poor removal experience* might:
 
-* Present confusing or misleading prompts or pop-ups while being uninstalled.
+* Present confusing or misleading prompts or pop-ups when you try to uninstall it.
 
 * Fail to use standard install/uninstall features, such as Add/Remove Programs.
 
@@ -150,25 +148,27 @@ Advertisements shown to you must:
 
 #### Consumer opinion
 
-Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
+Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security intelligence for software that meets the described criteria. This Security intelligence identifies the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
 
 ## Potentially unwanted application (PUA)
 
 Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences.
 
+As an individual, you can also block downloads from PUA in the new Chromium-based Edge browser by going to **Settings** > **Privacy and services** and turning on **Block potentially unwanted apps**.
+
 *PUAs are not considered malware.*
 
 Microsoft uses specific categories and the category definitions to classify software as a PUA.
 
-* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
+* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
 
 * **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
 
-* **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies.
+* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
 
-* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.
+* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.
 
-* **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.
+* **Marketing software:** Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.
 
 * **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
 

windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md

@@ -1,4 +1,6 @@
 ---
+title: Perform a Machine Action via the Microsoft Defender ATP API
+description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp
@@ -7,5 +9,6 @@ author: mjcaparas
 ms.prod: w10
 title: Note
 ---
+
 >[!Note]
 > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.

windows/security/threat-protection/microsoft-defender-atp/prerelease.md

@@ -1,4 +1,6 @@
 ---
+title: Microsoft Defender ATP Pre-release Disclaimer
+description: Disclaimer for pre-release version of Microsoft Defender ATP.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp