deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7569 from frankroj/fr-remove-ts-usmt-bitlocker

Browse Source 
Remove troubleshooting articles from USMT and BitLocker
This commit is contained in:
Angela Fleischmann 2022-11-30 10:48:39 -07:00 committed by GitHub
commit 5cb38d068a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 119 additions and 2399 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
.openpublishing.redirection.json
View File

@ -20159,21 +20159,76 @@
"source_path": "windows/deployment/update/update-status-admin-center.md",
"redirect_url": "/windows/deployment/update/wufb-reports-admin-center",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-workbook.md",
"redirect_url": "/windows/deployment/update/wufb-reports-workbook",
"redirect_document_id": false
},
},
{
"source_path": "windows/configuration/kiosk-troubleshoot.md",
"redirect_url": "/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting",
"redirect_document_id": false
},
},
{
"source_path": "windows/configuration/start-layout-troubleshoot.md",
"redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors",
"redirect_document_id": false
}
},
{
"source_path": "windows/deployment/usmt/usmt-common-issues.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/usmt/usmt-return-codes.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-return-codes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues",
"redirect_document_id": false
}
]
}
}

29
windows/deployment/TOC.yml
View File

@ -466,18 +466,6 @@
href: usmt/usmt-reroute-files-and-settings.md
- name: Verify the Condition of a Compressed Migration Store
href: usmt/verify-the-condition-of-a-compressed-migration-store.md
- name: USMT Troubleshooting
href: usmt/usmt-troubleshooting.md
- name: Common Issues
href: usmt/usmt-common-issues.md
- name: Frequently Asked Questions
href: usmt/usmt-faq.yml
- name: Log Files
href: usmt/usmt-log-files.md
- name: Return Codes
href: usmt/usmt-return-codes.md
- name: USMT Resources
href: usmt/usmt-resources.md
- name: USMT Reference
items:
@ -545,7 +533,22 @@
href: usmt/usmt-xml-elements-library.md
- name: Offline Migration Reference
href: usmt/offline-migration-reference.md
- name: Troubleshoot USMT
items:
- name: USMT Troubleshooting
href: usmt/usmt-troubleshooting.md
- name: USMT Common Issues
href: /troubleshoot/windows-client/deployment/usmt-common-issues
- name: USMT Frequently Asked Questions
href: usmt/usmt-faq.yml
- name: USMT Log Files
href: usmt/usmt-log-files.md
- name: USMT Return Codes
href: /troubleshoot/windows-client/deployment/usmt-return-codes
- name: USMT Resources
href: usmt/usmt-resources.md
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide

299
windows/deployment/usmt/usmt-common-issues.md
View File

@ -1,299 +0,0 @@
---
title: Common Issues (Windows 10)
description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
ms.date: 11/01/2022
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
---
# Common issues
The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
## General guidelines for identifying migration problems
When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
- Examine the **ScanState**, **LoadState**, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return codes](usmt-return-codes.md). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
> [!NOTE]
> Running the **ScanState** and **LoadState** tools with the `/v:5` option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
- Use the `/Verify` option with the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md).
- Use the `/Extract` option with the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md).
- Create a progress log using the `/Progress` option to monitor your migration.
- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
- Sign out after you run the **LoadState** tool. Some settings such as fonts, desktop backgrounds, and screen-saver settings won't take effect until the next time the end user logs on.
- Close all applications before running **ScanState** or **LoadState** tools. If some applications are running during the **ScanState** or **LoadState** process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
> [!NOTE]
> USMT will fail if it can't migrate a file or setting unless you specify the `/c` option. When you specify the `/c` option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that didn't migrate.
## User account problems
The following sections describe common user account problems. Expand the section to see recommended solutions.
### I'm having problems creating local accounts on the destination computer
**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate user accounts](usmt-migrate-user-accounts.md).
### Not all of the user accounts were migrated to the destination computer
**Causes/Resolutions** There are two possible causes for this problem:
When running the **ScanState** and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
1. Select **Start** > **All Programs** > **Accessories**.
2. Right-click **Command Prompt**.
3. Select **Run as administrator**.
4. Specify the `LoadState.exe` or `ScanState.exe` command.
If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
Any user accounts on the computer that haven't been used won't be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT won't migrate the User1 account.
### User accounts that I excluded were migrated to the destination computer
**Cause:** The command that you specified might have had conflicting `ui` and `/ue` options. If a user is specified with the `/ui` option and with either the `/ue` or `/uel` options at the same time, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the `/ui` option takes precedence.
**Resolution:** For more information about how to use the `/ui` and `/ue` options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) article.
### I'm using the /uel option, but many accounts are still being included in the migration
**Cause:** The `/uel` option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last sign-in date.
**Resolution:** This is a limitation of the `/uel` option. You might need to exclude these users manually with the `/ue` option.
### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test
**Cause:** During a migration test, if you run the **ScanState** tool on your test computer and then delete user profiles in order to test the **LoadState** tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but won't remove the registry key.
**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
1. Open the registry editor by typing `regedit` at an elevated command prompt.
2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
Each user profile is stored in a System Identifier key under `ProfileList`.
3. Delete the key for the user profile you're trying to remove.
### Files that weren't encrypted before the migration are now encrypted with the account used to run the LoadState tool
**Cause:** The **ScanState** tool was run using the `/EFS:copyraw` option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
**Resolution:** Before using the **ScanState** tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
To remove encryption from files that have already been migrated incorrectly, you must sign into the computer with the account that you used to run the **LoadState** tool and then remove the encryption from the affected files.
### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file
**Cause:** The computer name was changed during an offline migration of a local user profile.
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
```cmd
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
```
## Command-line problems
The following sections describe common command-line problems. Expand the section to see recommended solutions.
### I received the following error message: "Usage Error: You can't specify a file path with any of the command-line options that exceeds 256 characters."
**Cause:** You might receive this error message in some cases even if you don't specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the ` **ScanState**.exe /o store` command from `C:\Program Files\USMT40`, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
**Resolution:** Ensure that the total path length doesn't exceed 256 characters. The total path length includes the store path plus the current directory.
### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
**Cause:** If you're running the **ScanState** or **LoadState** tools from a shared network resource, you'll receive this error message if you don't specify `/l`.
**Resolution:** To fix this issue in this scenario, specify the `/l:ScanState.log` or `/l:LoadState.log` option.
## XML file problems
The following sections describe common XML file problems. Expand the section to see recommended solutions.
### I used the `/genconfig` option to create a `Config.xml` file, but I see only a few applications and components that are in `MigApp.xml`. Why does `Config.xml` not contain all of the same applications?
**Cause:** `Config.xml` will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the `/genconfig` option. Otherwise, these applications and components won't appear in the `Config.xml` file.
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
```cmd
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
```
### I'm having problems with a custom .xml file that I authored, and I can't verify that the syntax is correct
**Resolution:** You can load the XML schema file `MigXML.xsd` into your XML authoring tool. `MigXML.xsd` is included with USMT. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there's a syntax error. For more information about using the XML elements, see [USMT XML Reference](usmt-xml-reference.md).
### I'm using a MigXML helper function, but the migration isn't working the way I expected it to. How do I troubleshoot this issue?
**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate didn't get collected or applied, or weren't collected or applied in the way you expected.
**Resolution:** You should search the **ScanState** or **LoadState** log for either the component name that contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
## Migration problems
The following sections describe common migration problems. Expand the section to see recommended solutions.
### Files that I specified to exclude are still being migrated
**Cause:** There might be another rule that is including the files. If there's a more specific rule or a conflicting rule, the files will be included in the migration.
**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
### I specified rules to move a folder to a specific location on the destination computer, but it hasn't migrated correctly
**Cause:** There might be an error in the XML syntax.
**Resolution:** You can use the USMT XML schema (`MigXML.xsd`) to write and validate migration .xml files. Also see the XML examples in the following articles:
[Conflicts and precedence](usmt-conflicts-and-precedence.md)
[Exclude files and settings](usmt-exclude-files-and-settings.md)
[Reroute files and settings](usmt-reroute-files-and-settings.md)
[Include files and settings](usmt-include-files-and-settings.md)
[Custom XML examples](usmt-custom-xml-examples.md)
### After LoadState completes, the new desktop background doesn't appear on the destination computer
There are three typical causes for this issue.
**Cause**: Some settings such as fonts, desktop backgrounds, and screen-saver settings aren't applied by **LoadState** until after the destination computer has been restarted.
**Resolution:** To fix this issue, sign out, and then log back on to see the migrated desktop background.
<!---
**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background won't be migrated. Instead, the destination computer will have the default Windows® desktop background. This issue will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
**Resolution:** Ensure that the desktop background images that you want to migrate aren't in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
**Cause \#3:** If **ScanState** wasn't run on Windows XP from an account with administrative credentials, some operating system settings won't migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings won't migrate.
**Resolution:** Run the **ScanState** and **LoadState** tools from within an account with administrative credentials.
--->
### I included `MigApp.xml` in the migration, but some `PST` files aren't migrating
**Cause:** The `MigApp.xml` file migrates only the PST files that are linked to Outlook profiles.
**Resolution:** To migrate PST files that aren't linked to Outlook profiles, you must create a separate migration rule to capture these files.
### USMT doesn't migrate the Start layout
**Description:** You're using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and doesn't have the Start menu layout they had previously configured.
**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
**Resolution:** The following workaround is available:
1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
```powershell
Export-StartLayout -Path "C:\Layout\user1.xml"
```
2. Migrate the user's profile with USMT.
3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
```powershell
Import-StartLayout -LayoutPath "C:\Layout\user1.xml" -MountPath %systemdrive%
```
This workaround changes the Default user's Start layout. The workaround doesn't scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device, you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
## Offline migration problems
The following sections describe common offline migration problems. Expand the section to see recommended solutions.
### Some of my system settings don't migrate in an offline migration
**Cause:** Some system settings, such as desktop backgrounds and network printers, aren't supported in an offline migration. For more information, see [What does USMT migrate?](usmt-what-does-usmt-migrate.md)
**Resolution:** In an offline migration, these system settings must be restored manually.
### The ScanState tool fails with return code 26
**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The **ScanState** log shows a **MigStartupOfflineCaught** exception that includes the message **User profile duplicate SID error**.
**Resolution:** You can reboot the computer to get rid of the temp profile or you can set **MIG_FAIL_ON_PROFILE_ERROR=0** to skip the error and exclude the temp profile.
### Include and Exclude rules for migrating user profiles don't work the same offline as they do online
**Cause:** When offline, the DNS server can't be queried to resolve the user name and SID mapping.
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
```cmd
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
```
The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
You can also use patterns for SIDs that identify generic users or groups. For example, you can use the `/ue:*-500` option to exclude the local administrator accounts. For more information about Windows SIDs, see [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers).
### My script to wipe the disk fails after running the ScanState tool on a 64-bit system
**Cause:** The HKLM registry hive isn't unloaded after the **ScanState** tool has finished running.
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
```cmd
reg.exe unload hklm\$dest$software
```
## Hard-Link Migration Problems
The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
### EFS files aren't restored to the new partition
**Cause:** EFS files can't be moved to a new partition with a hard link. The `/efs:hardlink` command-line option is only applicable to files migrated on the same partition.
**Resolution:** Use the `/efs:copyraw` command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
### The ScanState tool can't delete a previous hard-link migration store
**Cause:** The migration store contains hard links to locked files.
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
```cmd
UsmtUtils.exe /rd <storedir>
```
You should also reboot the machine.
## Related articles
[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
[Frequently asked questions](usmt-faq.yml)
[Return codes](usmt-return-codes.md)
[UsmtUtils syntax](usmt-utilities.md)

4
windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
View File

@ -25,7 +25,7 @@ Options used with the `/extract` option can specify:
In addition, you can specify the file patterns that you want to extract by using the `/i` option to include file patterns or the `/e` option to exclude file patterns. When both the `/i` option and the `/e` option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the **ScanState** and **LoadState** tools.
### To run the UsmtUtils tool with the /extract option
## To run the UsmtUtils tool with the /extract option
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
@ -93,6 +93,6 @@ In this example, if there is a myProject.exe file, it will also be extracted bec
[UsmtUtils syntax](usmt-utilities.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)

339
windows/deployment/usmt/usmt-return-codes.md
View File

@ -1,339 +0,0 @@
---
title: Return Codes (Windows 10)
description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/01/2022
ms.topic: article
ms.technology: itpro-deploy
---
# Return codes
This article describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this article provides tips to help you use the logfiles to determine why you received an error.
Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
## USMT return codes
If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
Return codes are grouped into the following broad categories that describe their area of error reporting:
- Success or User Cancel
- Invalid Command Lines
- Setup and Initialization
- Non-fatal Errors
- Fatal Errors
As a best practice, we recommend that you set verbosity level to 5, `v:5`, on the `ScanState.exe`, `LoadState.exe`, and `UsmtUtils.exe` command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
## USMT error messages
Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **UsmtUtils** tool might return a code of **11** (for **USMT_INVALID_PARAMETERS**) and a related error message that reads **/key and /keyfile both specified**. The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **UsmtUtils** log files to help you determine why the return code was received.
You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
## Troubleshooting return codes and error messages
The following information lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
### 0: USMT_SUCCESS
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Successful run** | NA |
### 1: USMT_DISPLAY_HELP
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Command line help requested** | NA |
### 2: USMT_STATUS_CANCELED
- **Category**: Success or User Cancel
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Gather was aborted because of an EFS file** | NA |
| **User chose to cancel (such as pressing CTRL+C)** | NA |
### 3: USMT_WOULD_HAVE_FAILED
- **Category**:
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **At least one error was skipped as a result of /c.** | Review ScanState, LoadState, or UsmtUtils log for details about command-line errors. |
### 11: USMT_INVALID_PARAMETERS
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **/all conflicts with /ui, /ue or /uel** | Review ScanState log or LoadState log for details about command-line errors. |
| **/auto expects an optional parameter for the script folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **/encrypt can't be used with /nocompress** | Review ScanState log or LoadState log for details about command-line errors. |
| **/encrypt requires /key or /keyfile** | Review ScanState log or LoadState log for details about command-line errors. |
| **/genconfig can't be used with most other options** | Review ScanState log or LoadState log for details about command-line errors. |
| **/genmigxml can't be used with most other options** | Review ScanState log or LoadState log for details about command-line errors. |
| **/hardlink requires /nocompress** | Review ScanState log or LoadState log for details about command-line errors. |
| **/key and /keyfile both specified** | Review ScanState log or LoadState log for details about command-line errors. |
| **/key or /keyfile used without enabling encryption** | Review ScanState log or LoadState log for details about command-line errors. |
| **/lae is only used with /lac** | Review ScanState log or LoadState log for details about command-line errors. |
| **/listfiles cannot be used with /p** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offline requires a valid path to an XML file describing offline paths** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offlinewindir requires a valid path to offline windows folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **/offlinewinold requires a valid path to offline windows folder** | Review ScanState log or LoadState log for details about command-line errors. |
| **A command was already specified** | Verify that the command-line syntax is correct and that there are no duplicate commands. |
| **An option argument is missing** | Review ScanState log or LoadState log for details about command-line errors. |
| **An option is specified more than once and is ambiguous** | Review ScanState log or LoadState log for details about command-line errors. |
| **By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed.** | Review ScanState log or LoadState log for details about command-line errors. |
| **Command line arguments are required. Specify /? for options.** | Review ScanState log or LoadState log for details about command-line errors. |
| **Command line option is not valid** | Review ScanState log or LoadState log for details about command-line errors. |
| **EFS parameter specified is not valid for /efs** | Review ScanState log or LoadState log for details about command-line errors. |
| **File argument is invalid for /genconfig** | Review ScanState log or LoadState log for details about command-line errors. |
| **File argument is invalid for /genmigxml** | Review ScanState log or LoadState log for details about command-line errors. |
| **Invalid space estimate path. Check the parameters and/or file system permissions** | Review ScanState log or LoadState log for details about command-line errors. |
| **List file path argument is invalid for /listfiles** | Review ScanState log or LoadState log for details about command-line errors. |
| **Retry argument must be an integer** | Review ScanState log or LoadState log for details about command-line errors. |
| **Settings store argument specified is invalid** | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
| **Specified encryption algorithm is not supported** | Review ScanState log or LoadState log for details about command-line errors. |
| **The /efs:hardlink requires /hardlink** | Review ScanState log or LoadState log for details about command-line errors. |
| **The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7** | Review ScanState log or LoadState log for details about command-line errors. |
| **The store parameter is required but not specified** | Review ScanState log or LoadState log for details about command-line errors. |
| **The source-to-target domain mapping is invalid for /md** | Review ScanState log or LoadState log for details about command-line errors. |
| **The source-to-target user account mapping is invalid for /mu** | Review ScanState log or LoadState log for details about command-line errors. |
| **Undefined or incomplete command line option** | Review ScanState log or LoadState log for details about command-line errors. |
| **Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate** | Review ScanState log or LoadState log for details about command-line errors. |
| **User exclusion argument is invalid** | Review ScanState log or LoadState log for details about command-line errors. |
| **Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08)** | Review ScanState log or LoadState log for details about command-line errors. |
| **Volume shadow copy feature is not supported with a hardlink store** | Review ScanState log or LoadState log for details about command-line errors. |
| **Wait delay argument must be an integer** | Review ScanState log or LoadState log for details about command-line errors. |
### 12: USMT_ERROR_OPTION_PARAM_TOO_LARGE
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Command line arguments cannot exceed 256 characters** | Review ScanState log or LoadState log for details about command-line errors. |
| **Specified settings store path exceeds the maximum allowed length of 256 characters** | Review ScanState log or LoadState log for details about command-line errors. |
### 13: USMT_INIT_LOGFILE_FAILED
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Log path argument is invalid for /l** | When `/l` is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct. |
### 14: USMT_ERROR_USE_LAC
- **Category**: Invalid Command Lines
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Unable to create a local account because /lac was not specified** | When creating local accounts, the command-line options `/lac` and `/lae` should be used. |
### 26: USMT_INIT_ERROR
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Multiple Windows installations found** | Listfiles.txt couldn't be created. Verify that the location you specified for the creation of this file is valid. |
| **Software malfunction or unknown exception** | Check all loaded .xml files for errors, common error when using `/i` to load the `Config.xml` file. |
| **Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries** | Verify that the offline input file is present and that it has valid entries. USMT couldn't find valid offline operating system. Verify your offline directory mapping. |
### 27: USMT_INVALID_STORE_LOCATION
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A store path can't be used because an existing store exists; specify /o to overwrite** | Specify `/o` to overwrite an existing intermediate or migration store. |
| **A store path is missing or has incomplete data** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **An error occurred during store creation** | Make sure that the store path is accessible and that the proper permission levels are set. Specify `/o` to overwrite an existing intermediate or migration store. |
| **An inappropriate device such as a floppy disk was specified for the store** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **Invalid store path; check the store parameter and/or file system permissions** | Invalid store path; check the store parameter and/or file system permissions. |
| **The file layout and/or file content is not recognized as a valid store** | Make sure that the store path is accessible and that the proper permission levels are set. Specify `/o` to overwrite an existing intermediate or migration store. |
| **The store path holds a store incompatible with the current USMT version** | Make sure that the store path is accessible and that the proper permission levels are set. |
| **The store save location is read-only or does not support a requested storage option** | Make sure that the store path is accessible and that the proper permission levels are set. |
### 28: USMT_UNABLE_GET_SCRIPTFILES
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Script file is invalid for /i** | Check all specified migration .xml files for errors. This error is common when using `/i` to load the `Config.xml` file. |
| **Unable to find a script file specified by /i** | Verify the location of your script files, and ensure that the command-line options are correct. |
### 29: USMT_FAILED_MIGSTARTUP
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A minimum of 250 MB of free space is required for temporary files** | Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable `USMT_WORKING_DIR=<path>` to redirect the temporary files working directory. |
| **Another process is preventing migration; only one migration tool can run at a time** | Check the ScanState log file for migration .xml file errors. |
| **Failed to start main processing, look in log for system errors or check the installation** | Check the ScanState log file for migration .xml file errors. |
| **Migration failed because of an XML error; look in the log for specific details** | Check the ScanState log file for migration .xml file errors. |
| **Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table** | Check the ScanState log file for migration .xml file errors. |
### 31: USMT_UNABLE_FINDMIGUNITS
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred during the discover phase; the log should have more specific information** | Check the ScanState log file for migration .xml file errors. |
### 32: USMT_FAILED_SETMIGRATIONTYPE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred processing the migration system** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
### 33: USMT_UNABLE_READKEY
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error accessing the file specified by the /keyfile parameter** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
| **The encryption key must have at least one character** | Check the ScanState log file for migration .xml file errors, or use online Help by typing `/?` on the command line. |
### 34: USMT_ERROR_INSUFFICIENT_RIGHTS
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Directory removal requires elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
| **No rights to create user profiles; log in as Administrator; run with elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
| **No rights to read or delete user profiles; log in as Administrator, run with elevated privileges** | Sign in as Administrator, and run with elevated privileges. |
### 35: USMT_UNABLE_DELETE_STORE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A reboot is required to remove the store** | Reboot to delete any files that couldn't be deleted when the command was executed. |
| **A store path can't be used because it contains data that could not be overwritten** | A migration store couldn't be deleted. If you're using a hardlink migration store, you might have a locked file in it. You should manually delete the store, or use `UsmtUtils.exe /rd` command to delete the store. |
| **There was an error removing the store** | Review ScanState log or LoadState log for details about command-line errors. |
### 36: USMT_ERROR_UNSUPPORTED_PLATFORM
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Compliance check failure; please check the logs for details** | Investigate whether there's an active temporary profile on the system. |
| **Use of /offline is not supported during apply** | The `/offline` command wasn't used while running in the Windows Preinstallation Environment (WinPE). |
| **Use /offline to run gather on this platform** | The `/offline` command wasn't used while running in WinPE. |
### 37: USMT_ERROR_NO_INVALID_KEY
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **The store holds encrypted data but the correct encryption key was not provided** | Verify that the correct encryption key or keyfile was included with the `/key` or `/keyfile` option. |
### 38: USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred during store access** | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
### 39: USMT_UNABLE_TO_READ_CONFIG_FILE
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error reading Config.xml** | Review ScanState log or LoadState log for details about command-line errors in the `Config.xml` file. |
| **File argument is invalid for /config** | Check the command line you used to load the `Config.xml` file. You can use online Help by typing `/?` on the command line. |
### 40: USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Error writing to the progress log** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
| **Progress log argument is invalid for /progress** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
### 41: USMT_PREFLIGHT_FILE_CREATION_FAILED
- **Category**: Setup and Initialization
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **Can't overwrite existing file** | The Progress log couldn't be created. Verify that the location is valid and that you have write access. |
| **Invalid space estimate path. Check the parameters and/or file system permissions** | Review ScanState log or LoadState log for details about command-line errors. |
### 42: USMT_ERROR_CORRUPTED_STORE
- **Category**:
| Error message | The store contains one or more corrupted files |
| --- | --- |
| **The store holds encrypted data but the correct encryption key was not provided** | Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that aren't corrupted, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md). |
### 61: USMT_MIGRATION_STOPPED_NONFATAL
- **Category**: Non-fatal Errors
| Error message | The store contains one or more corrupted files |
| --- | --- |
| **Processing stopped due to an I/O error** | USMT exited but can continue with the `/c` command-line option, with the optional configurable **&lt;ErrorControl&gt;** section or by using the `/vsc` command-line option. |
### 71: USMT_INIT_OPERATING_ENVIRONMENT_FAILED
- **Category**: Fatal Errors
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **A Windows Win32 API error occurred** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred when attempting to initialize the diagnostic mechanisms such as the log** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Failed to record diagnostic information** | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Unable to start. Make sure you are running USMT with elevated privileges** | Exit USMT and sign in again with elevated privileges. |
### 72: USMT_UNABLE_DOMIGRATION
- **Category**: Fatal Errors
| Error message | Troubleshooting, mitigation, workarounds |
| --- | --- |
| **An error occurred closing the store** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred in the apply process** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **An error occurred in the gather process** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Out of disk space while writing the store** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
| **Out of temporary disk space on the local system** | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
## Related articles
[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
[USMT log files](usmt-log-files.md)

2
windows/deployment/usmt/usmt-test-your-migration.md
View File

@ -17,7 +17,7 @@ Always test your migration plan in a controlled laboratory setting before you de
After you've thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate migration store size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](usmt-return-codes.md). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>` where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.

4
windows/deployment/usmt/usmt-troubleshooting.md
View File

@ -19,10 +19,10 @@ The following table describes articles that address common User State Migration
| Link | Description |
|--- |--- |
|[Common Issues](usmt-common-issues.md)|Find troubleshooting solutions for common problems in USMT.|
|[Common Issues](/troubleshoot/windows-client/deployment/usmt-common-issues)|Find troubleshooting solutions for common problems in USMT.|
|[Frequently Asked Questions](usmt-faq.yml)|Find answers to questions about how to use USMT.|
|[Log Files](usmt-log-files.md)|Learn how to enable logging to help you troubleshoot issues in USMT.|
|[Return Codes](usmt-return-codes.md)|Learn how to use return codes to identify problems in USMT.|
|[Return Codes](/troubleshoot/windows-client/deployment/usmt-return-codes)|Learn how to use return codes to identify problems in USMT.|
|[USMT Resources](usmt-resources.md)|Find more information and support for using USMT.|
## Related articles

2
windows/deployment/usmt/usmt-utilities.md
View File

@ -97,4 +97,4 @@ Some examples of `/extract` commands:
[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)

6
windows/deployment/usmt/usmt-what-does-usmt-migrate.md
View File

@ -53,7 +53,7 @@ This section describes the user data that USMT migrates by default, using the `M
- Favorites
> [!IMPORTANT]
> Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
> Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
- **Folders from the All Users and Public profiles.** When you specify the `MigUser.xml` file, USMT also migrates the following from the **Public** profile in Windows Vista, Windows 7, Windows 8, or Windows 10:
@ -209,7 +209,7 @@ When you specify the `MigApp.xml` file, USMT migrates the settings for the follo
## What USMT doesn't migrate
The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](usmt-common-issues.md).
The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](/troubleshoot/windows-client/deployment/usmt-common-issues).
### Application settings
@ -247,7 +247,7 @@ You should also note the following items:
### Start menu layout
Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
### User profiles from Active Directory to Azure Active Directory

2
windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
View File

@ -101,4 +101,4 @@ If the `/verify` option indicates that there are corrupted files in the migratio
[UsmtUtils syntax](usmt-utilities.md)
[Return codes](usmt-return-codes.md)
[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)

18
windows/security/TOC.yml
View File

@ -136,25 +136,25 @@
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker
href: information-protection/bitlocker/troubleshoot-bitlocker.md
href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues"
href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues"
href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues"
href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues"
href: information-protection/bitlocker/ts-bitlocker-config-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues"
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview

2
windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
View File

@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker basic deployment
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker Countermeasures
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
View File

@ -20,7 +20,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -15,7 +15,7 @@ ms.technology: itpro-security
# BitLocker deployment comparison
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# Overview of BitLocker Device Encryption in Windows
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
View File

@ -22,7 +22,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker group policy settings
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-security
# BitLocker: How to deploy on Windows Server 2012 and later
*Applies to:*
**Applies to:**
- Windows Server 2012
- Windows Server 2012 R2

2
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker: How to enable Network Unlock
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
View File

@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

4
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
@ -97,6 +97,6 @@ When installing the BitLocker optional component on a server, the Enhanced Stora
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |

2
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -18,7 +18,7 @@ ms.custom: bitlocker
# BitLocker recovery guide
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker To Go FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10

2
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Recovery Password Viewer
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
View File

@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above

2
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -17,7 +17,7 @@ ms.technology: itpro-security
# Prepare an organization for BitLocker: Planning and policies
*Applies to:*
**Applies to:**
- Windows 10
- Windows 11

2
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -16,7 +16,7 @@ ms.technology: itpro-security
# Protecting cluster shared volumes and storage area networks with BitLocker
*Applies to:*
**Applies to:**
- Windows Server 2016 and above

152
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -1,152 +0,0 @@
---
title: Guidelines for troubleshooting BitLocker
description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Guidelines for troubleshooting BitLocker
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier.
## Review the event logs
Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**:
- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-API/Management**
- **Microsoft-Windows-BitLocker-API/Operational**
- **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled
- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin**
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational**
Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used.
For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
```cmd
wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
```
To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command:
```powershell
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
```
The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
- To display BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
- To export BitLocker-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
```
- To display TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
```
- To export TPM-related information:
```powershell
Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
```
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
> [!NOTE]
> When contacting Microsoft Support, it is recommended to export the logs listed in this section.
## Gather status information from the BitLocker technologies
Open an elevated Windows PowerShell window, and run each of the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`Get-Tpm > C:\TPM.txt`** |PowerShell cmdlet that exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet isn't supported in Windows 7. | [Get-Tpm](/powershell/module/trustedplatformmodule/get-tpm)|
|**`manage-bde.exe -status > C:\BDEStatus.txt`** |Exports information about the general encryption status of all drives on the computer. | [manage-bde.exe status](/windows-server/administration/windows-commands/manage-bde-status) |
|**`manage-bde.exe c: -protectors -get > C:\Protectors`** |Exports information about the protection methods that are used for the BitLocker encryption key. | [manage-bde.exe protectors](/windows-server/administration/windows-commands/manage-bde-protectors)|
|**`reagentc.exe /info > C:\reagent.txt`** |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | [reagentc.exe](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |
|**`Get-BitLockerVolume \| fl`** |PowerShell cmdlet that gets information about volumes that BitLocker Drive Encryption can protect. | [Get-BitLockerVolume](/powershell/module/bitlocker/get-bitlockervolume) |
## Review the configuration information
1. Open an elevated Command Prompt window, and run the following commands:
|Command |Notes | More Info |
| --- | --- | --- |
|**`gpresult.exe /h <Filename>`** |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | [gpresult.exe](/windows-server/administration/windows-commands/gpresult) |
|**`msinfo.exe /report <Path> /computer <ComputerName>`** |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |[msinfo.exe](/windows-server/administration/windows-commands/msinfo32) |
2. Open Registry Editor, and export the entries in the following subkeys:
- **`HKLM\SOFTWARE\Policies\Microsoft\FVE`**
- **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`**
## Check the BitLocker prerequisites
Common settings that can cause issues for BitLocker include the following scenarios:
- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM.
- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE.
- The system-reserved partition must use the correct format.
- On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
- On legacy computers, the system-reserved partition must be formatted as NTFS.
- If the device being troubleshot is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
## Next steps
If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate.
- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
It's recommended to keep the gathered information handy in case Microsoft Support is contacted for help with resolving the issue.

114
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,114 +0,0 @@
---
title: BitLocker cannot encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
### Cause of **Error 0x80310059**
This issue may be caused by settings that are controlled by group policy objects (GPOs).
### Resolution for **Error 0x80310059**
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
2. Delete the following entries:
- **`OSPlatformValidation_BIOS`**
- **`OSPlatformValidation_UEFI`**
- **`PlatformValidation`**
3. Exit registry editor, and turn on BitLocker drive encryption again.
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO WINDOWS 10 VERSIONS THAT BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## **Access is denied** message when attempting to encrypt removable drives
A computer is running Windows 10, version 1709 or version 1607. Encryption is attempted on a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
2. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
3. Follow the instructions on the page to enter a password.
4. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
5. The **Starting encryption** page displays the message **Access is denied.**
The message is received on any computer that runs Windows 10 version 1709 or version 1607, when any USB drive is used.
### Cause of **Access is denied** message
The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
2. At the command prompt, enter the following command:
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following output:
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
3. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If `NT AUTHORITY\INTERACTIVE` is seen as highlighted in the output of this command, this line is the cause of the issue. Under typical conditions, the output should resemble the following output instead:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution for **Access is denied** message
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
2. Restart the computer.
The issue should now be resolved.
-->

157
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,157 +0,0 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed
It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of the TPM being locked
The TPM is locked out.
### Resolution for the TPM being locked
To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps:
1. Open an elevated PowerShell window and run the following script:
```powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM.
3. Sign on to Windows and retry starting BitLocker drive encryption.
> [!WARNING]
> Resetting and clearing the TPM can cause data loss.
## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`**
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of TPM failing to prepare
The TPM is locked out.
### Resolution for TPM failing to prepare
To resolve this issue, disable and re-enable the TPM with the following steps:
1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens.
2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens.
3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows.
4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed:
> **Compatible TPM cannot be found**
>
> **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.**
This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device.
5. Restart the device and enter the UEFI/BIOS configuration screens again.
6. Reenable the TPM in the UEFI/BIOS configuration screens.
7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows.
8. Once signed into Windows, return to the TPM management console.
If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**
The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**.
### Cause of **`Access Denied`** or **`Insufficient Rights`**
The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution for **`Access Denied`** or **`Insufficient Rights`**
To verify this issue is occurring, use one of the following two methods:
- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=<domain>,DC=com`** container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
In this command, *ComputerName* is the name of the affected computer.
2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**.
## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`**
Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled**
It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
### Cause of **0x80072030: There is no such object on the server**
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution for **0x80072030: There is no such object on the server**
The issue can be resolved with the following steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
3. In the script, modify the value of **strPathToDomain** to the organization's domain name.
4. Open an elevated PowerShell window, and run the following command:
```cmd
cscript.exe <Path>\Add-TPMSelfWriteACE.vbs
```
In this command, \<*Path*> is the path to the script file.
For more information, see the following articles:
- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)

191
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -1,191 +0,0 @@
---
title: BitLocker configuration known issues
description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker configuration: known issues
This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
### Benefits of using the new conversion model
By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial.
By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
### Other BitLocker enhancements
Several other areas of BitLocker were improved in versions of Windows released after Windows 7:
- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces:
- BitLocker Wizard
- manage-bde.exe
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup.
- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart.
- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption
Consider the following scenario:
1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V.
2. Data is added to the data disk as it encrypts.
3. The VM is restarted and the following behavior is observed:
- The system volume isn't encrypted.
- The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**.
- A message similar to the following message is displayed:
> **You need to format the disk in \<*drive_letter:*> drive before you can use it**
### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM.
### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
To resolve this issue, remove the third-party software.
## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
Consider the following scenario:
A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup.
This issue occurs regardless of any of the following variations in the environment:
- How the domain controller volumes are unlocked.
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**:
> ID: 8229<br>
> Level: Warning<br>
> Source: VSS<br>
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.<br>
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.<br>
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:<br>
> PostSnapshot Event
>
> Context:<br>
> Execution Context: Writer<br>
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}<br>
> Writer Name: NTDS<br>
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}<br>
> Command Line: C:\\Windows\\system32\\lsass.exe<br>
>
> Process ID: 680
In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event:
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168<br>
> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
>
> Additional Data<br>
> Error value (decimal): -1022<br>
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
> [!NOTE]
> The internal ID of this event may differ based on the operating system release version and patch level.
When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
```Error
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
State: [11] Failed
Last error: Non-retryable error
```
Additionally, the VMs can't be backed up until they're restarted.
### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system.
If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended.
For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
### More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
```
The operation produces the following call stack:
```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```

120
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -1,120 +0,0 @@
---
title: Decode Measured Boot logs to track PCR changes
description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Decode Measured Boot logs to track PCR changes
Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
By tracking changes in the PCRs, and identifying when they changed, insight can be gained into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the `C:\Windows\Logs\MeasuredBoot\` folder.
This article describes tools that can be used to decode these logs: `TBSLogGenerator.exe` and `PCPTool.exe`.
For more information about Measured Boot and PCRs, see the following articles:
- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation)
- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
## Use `TBSLogGenerator.exe` to decode Measured Boot logs
Use `TBSLogGenerator.exe` to decode Measured Boot logs that were collected from Windows. `TBSLogGenerator.exe` can be installed on the following systems:
- A computer that is running Windows Server 2016 or newer and that has a TPM enabled
- A Gen 2 virtual machine running on Hyper-V that is running Windows Server 2016 or newer and is using a virtual TPM.
To install the tool, follow these steps:
1. Download the Windows Hardware Lab Kit from [Windows Hardware Lab Kit](/windows-hardware/test/hlk/).
2. After downloading, run the installation file from the path where the install was downloaded to.
3. Accept the default installation path.
![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
4. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
5. Finish the installation.
To use `TBSLogGenerator.exe`, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**`C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb`**
This folder contains the `TBSLogGenerator.exe` file.
![Properties and location of the `TBSLogGenerator.exe` file.](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file:
```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
![Command Prompt window that shows an example of how to use `TBSLogGenerator.exe`.](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In this example, the file is **`0000000005-0000000000.txt`**. The file is located in the same folder as the original `.log` file.
![Windows Explorer window that shows the text file that `TBSLogGenerator.exe`produces.](./images/ts-tpm-5.png)
The content of this text file is similar to the following text:
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use `PCPTool.exe` to decode Measured Boot logs
> [!NOTE]
> `PCPTool.exe` is a Visual Studio solution, but executable needs to be built before tool can be used.
`PCPTool.exe` is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install `PCPTool.exe`, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
```cmd
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```
where the variables represent the following values:
- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file
The content of the XML file will be similar to the following XML:
:::image type="content" alt-text="Command Prompt window that shows an example of how to use `PCPTool.exe`." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

366
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -1,366 +0,0 @@
---
title: Enforcing BitLocker policies by using Intune known issues
description: Provides assistance for issues that may be seen if Microsoft Intune policy is being used to manage silent BitLocker encryption on devices.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# Enforcing BitLocker policies by using Intune: known issues
This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the **Management** and **Operations** logs in the **Applications and Services logs** > **Microsoft** > **Windows** > **BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#event-id-853-error-a-compatible-trusted-platform-module-tpm-security-device-cannot-be-found-on-this-computer)
- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#event-id-853-error-bitlocker-drive-encryption-detected-bootable-media-cd-or-dvd-in-the-computer)
- [Event ID 854: WinRE is not configured](#event-id-854-winre-is-not-configured)
- [Event ID 851: Contact manufacturer for BIOS upgrade](#event-id-851-contact-the-manufacturer-for-bios-upgrade-instructions)
- [Error message: The UEFI variable 'SecureBoot' could not be read](#error-message-the-uefi-variable-secureboot-could-not-be-read)
- [Event ID 846, 778, and 851: Error 0x80072f9a](#event-id-846-778-and-851-error-0x80072f9a)
- [Error message: There are conflicting group policy settings for recovery options on operating system drives](#error-message-there-are-conflicting-group-policy-settings-for-recovery-options-on-operating-system-drives)
If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas:
- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
- [Review BitLocker policy configuration](#review-bitlocker-policy-configuration)
For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event:
![Details of event ID 853 (A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer).](./images/4509190-en-1.png)
### Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
### Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
To resolve this issue, verify the following configurations:
- The TPM is enabled in the device BIOS.
- The TPM status in the TPM management console is similar to the following statuses:
- Ready (TPM 2.0)
- Initialized (TPM 1.2)
For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md).
## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
### Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts.
To avoid this situation, the provisioning process stops if it detects a removable bootable media.
### Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
## Event ID 854: WinRE is not configured
The event information resembles the following error message:
> Failed to enable Silent Encryption. WinRe is not configured.
>
> Error: This PC cannot support device encryption because WinRE is not properly configured.
### Cause of Event ID 854: WinRE is not configured
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
If WinRE isn't available on the device, provisioning stops.
### Resolution for Event ID 854: WinRE is not configured
This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps:
#### Step 1: Verify the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the **`Winre.wim`** file. The partition configuration resembles the following.
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
```cmd
diskpart.exe
list volume
```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager):
![Windows image configuration in Microsoft Configuration Manager.](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd
reagentc.exe /info
```
The output of this command resembles the following.
![Output of the reagentc.exe /info command.](./images/4509193-en-1.png)
If the **Windows RE status** isn't **Enabled**, run the following command to enable it:
```cmd
reagentc.exe /enable
```
#### Step 3: Verify the Windows Boot Loader configuration
If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:
```cmd
bcdedit.exe /enum all
```
The output of this command will be similar to the following output:
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
## Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The event information will be similar to the following error message:
> Failed to enable Silent Encryption.
>
> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
### Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions
The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.
### Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions
To verify the BIOS mode, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
3. If the **BIOS Mode** setting is **Legacy**, the UEFI firmware needs to be switched to **UEFI** or **EFI** mode. The steps for switching to **UEFI** or **EFI** mode are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
## Error message: The UEFI variable 'SecureBoot' could not be read
An error message similar to the following error message is displayed:
> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause of Error message: The UEFI variable 'SecureBoot' could not be read
A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
### Resolution for Error message: The UEFI variable 'SecureBoot' could not be read
This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:
#### Step 1: Verify the PCR validation profile of the TPM
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd
Manage-bde.exe -protectors -get %systemdrive%
```
In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot isn't turned on.
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2: Verify the secure boot state
To verify the secure boot state, use the System Information application by following these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
2. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
3. If the **Secure Boot State** setting is **Unsupported**, Silent BitLocker Encryption can't be used on the device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE]
> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
>
> ```powershell
> Confirm-SecureBootUEFI
> ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
>
> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
## Event ID 846, 778, and 851: Error 0x80072f9a
Consider the following scenario:
Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Azure Active Directory (Azure AD). As part of the policy configuration, the **Allow standard users to enable encryption during Azure AD Join** option has been selected.
The policy deployment fails and the failure generates the following events in Event Viewer in the **Applications and Services Logs** > **Microsoft** > **Windows** > **BitLocker API** folder:
> Event ID:846
>
> Event:
> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
>
> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
> Error: Unknown HResult Error code: 0x80072f9a
> Event ID:778
>
> Event: The BitLocker volume C: was reverted to an unprotected state.
> Event ID: 851
>
> Event:
> Failed to enable Silent Encryption.
>
> Error: Unknown HResult Error code: 0x80072f9a.
These events refer to Error code 0x80072f9a.
### Cause of Event ID 846, 778, and 851: Error 0x80072f9a
These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
The issue affects Windows 10 version 1809.
### Resolution for Event ID 846, 778, and 851: Error 0x80072f9a
To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
## Error message: There are conflicting group policy settings for recovery options on operating system drives
An error message similar to the following error message is displayed:
> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
### Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives
To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, [Review BitLocker policy configuration](#review-bitlocker-policy-configuration).
For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
## Review BitLocker policy configuration
For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
- [Policy CSP &ndash; BitLocker](/windows/client-management/mdm/policy-csp-bitlocker)
- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
- [gpresult](/windows-server/administration/windows-commands/gpresult)
Intune offers the following enforcement types for BitLocker:
- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption.
If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings:
![Intune policy settings.](./images/4509186-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**
Value Type: **Integer**
Value: **1** (1 = Require, 0 = Not Configured)
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**
Value Type: **Integer**
Value: **0** (0 = Blocked, 1 = Allowed)
> [!NOTE]
> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
> [!NOTE]
> If the **Warning for other disk encryption** setting is set to **Not configured**, the BitLocker drive encryption wizard has to be manually started.
If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard.
Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
- Be HSTI-compliant
- Support Modern Standby
- Use Windows 10 version 1803 or later
![Intune policy setting.](./images/4509188-en-1.png)
The OMA-URI references for these settings are as follows:
- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**
Value Type: **Integer**
Value: **1**
> [!NOTE]
> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when the following settings are set:
>
> - **RequireDeviceEncryption** to **1**
> - **AllowStandardUserEncryption** to **1**
> - **AllowWarningForOtherDiskEncryption** to **0**
>
> Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
## Verifying that BitLocker is operating correctly
During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
It can also be determined whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker`**
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device`**
![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)

105
windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
View File

@ -1,105 +0,0 @@
---
title: BitLocker Network Unlock known issues
description: Describes several known issues that may be encountered while using Network Unlock, and provided guidance for addressing those issues.
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.reviewer: kaushika
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.custom: bitlocker
ms.date: 11/08/2022
---
# BitLocker Network Unlock: known issues
By using the BitLocker Network Unlock feature, computers can be managed remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, the environment needs to meet the following requirements:
- Each computer belongs to a domain.
- Each computer has a wired connection to the internal network.
- The internal network uses DHCP to manage IP addresses.
- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
For general guidelines about how to troubleshoot BitLocker Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
This article describes several known issues that may be encountered when BitLocker Network Unlock is used and provides guidance to address these issues.
> [!TIP]
> BitLocker Network Unlock can be detected if it is enabled on a specific computer use the following steps on UEFI computers:
>
> 1. Open an elevated command prompt window and run the following command:
>
> ```cmd
> manage-bde.exe -protectors -get <Drive>
> ```
>
> For example:
>
> ```cmd
> manage-bde.exe -protectors -get C:
> ```
>
> If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
>
> 2. Start Registry Editor, and verify the following settings:
>
> 1. The following registry key exists and has the following value:
>
> - **Subkey**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`
> - **Type**: `REG_DWORD`
> - **Value**: `OSManageNKP` equal to `1` (True)
>
> 2. The registry key:
>
> `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates`
>
> has an entry whose name matches the name of the certificate thumbprint of the BitLocker Network Unlock key protector that was found in step 1.
## On a Surface Pro 4 device, BitLocker Network Unlock doesn't work because the UEFI network stack is incorrectly configured
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). UEFI of a Surface Pro 4 has been configured to use DHCP. However, when the Surface Pro 4 is restarted, it still prompts for a BitLocker PIN.
When testing another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure, the device restarts as expected, without prompting for the BitLocker PIN. This test confirms that the infrastructure is correctly configured, and the issue is specific to the device.
### Cause of BitLocker Network Unlock not working on Surface Pro 4
The UEFI network stack on the device is incorrectly configured.
### Resolution for BitLocker Network Unlock not working on Surface Pro 4
To correctly configure the UEFI network stack of the Surface Pro 4, the Microsoft Surface Enterprise Management Mode (SEMM) needs to be used. For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
> [!NOTE]
> If SEMM can't be used, the Surface Pro 4 may be able to use BitLocker Network Unlock by configuring the Surface Pro 4 to use the network as its first boot option.
## Unable to use BitLocker Network Unlock feature on a Windows client computer
Consider the following scenario:
BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). A Windows 8 client computer is connected to the internal network with an ethernet cable. However, when the device is restarted, the device still prompts for the BitLocker PIN.
### Cause of unable to use BitLocker Network Unlock feature on a Windows client computer
A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the BitLocker Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
- The third message that the BitLocker Network Unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages. After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
### Resolution for unable to use BitLocker Network Unlock feature on a Windows client computer
To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.

369
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -1,369 +0,0 @@
---
title: BitLocker recovery known issues
description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection:
- Windows Security Technologies\BitLocker
- highpri
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker recovery: known issues
This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
> [!NOTE]
> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
## Windows prompts for a non-existing BitLocker recovery password
Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured.
### Resolution for Windows prompts for a non-existing BitLocker recovery password
The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
## The recovery password for a laptop wasn't backed up, and the laptop is locked
Consider the following scenario:
The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password.
### Resolution for the recovery password for a laptop wasn't backed up
You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider).
- In an elevated Command Prompt window, use the [manage-bde.exe](/windows-server/administration/windows-commands/manage-bde) command to back up the information.
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -adbackup C:
```
> [!NOTE]
> BitLocker does not automatically manage this backup process.
## Tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
Consider the following scenario:
BitLocker recovery needs to be tested on a tablet or slate device by running the following command:
```cmd
manage-bde.exe -forcerecovery
```
However, after entering the recovery password, the device can't start.
### Cause of tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
> [!IMPORTANT]
> Tablet devices do not support the **`manage-bde.exe -forcerecovery`** command.
This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **`manage-bde.exe -forcerecovery`** command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
This behavior is by design for all versions of Windows.
### Workaround for tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
2. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
3. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password>
manage-bde.exe -protectors -disable C:
```
4. Close the Command Prompt window.
5. Shut down the device.
6. Start the device. Windows should start as usual.
## After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
Consider the following scenario:
A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed.
You experience one or more of the following symptoms on the Surface device:
- At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up.
- Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings.
- The Surface device appears to be in an infinite restart loop.
### Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
- Secure boot is turned off.
- PCR values have been explicitly defined, such as by group policy.
Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the [About the Platform Configuration Register (PCR)](bitlocker-group-policy-settings.md#about-the-platform-configuration-register-pcr) section of the [BitLocker Group Policy Settings](bitlocker-group-policy-settings.md) article.
### Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -get <OSDriveLetter>:
```
In this command, *\<OSDriveLetter\>* represents the drive letter of the operating system drive.
To resolve this issue and repair the device, follow these steps:
#### Step 1: Disable the TPM protectors on the boot drive
If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps:
1. Obtain the BitLocker recovery password from the Surface user's [Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help.
2. Use another computer to download the Surface recovery image from [Surface Recovery Image Download](https://support.microsoft.com/surface-recovery-image). Use the downloaded image to create a USB recovery drive.
3. Insert the USB Surface recovery image drive into the Surface device, and start the device.
4. When prompted, select the following items:
1. The operating system language.
2. The keyboard layout.
5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
6. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde.exe -protectors -disable <DriveLetter>:
```
where:
- *\<Password\>* is the BitLocker recovery password that was obtained in Step 1
- *\<DriveLetter\>* is the drive letter that is assigned to the operating system drive
> [!NOTE]
> For more information about how to use this command, see [manage-bde unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
7. Restart the computer.
8. When prompted, enter the BitLocker recovery password that was obtained in Step 1.
> [!NOTE]
> After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press **Enter**. Follow the steps to encrypt the drive.
#### Step 2: Use Surface BMR to recover data and reset the Surface device
To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive) to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps:
1. At the command prompt, run the following command:
```cmd
manage-bde.exe -unlock -recoverypassword <Password> <DriveLetter>:
```
In this command, *\<Password\>* is the BitLocker recovery password that was obtained in Step 1 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive), and \<*DriveLetter*> is the drive letter that is assigned to the operating system drive.
2. After the drive is unlocked, use the **`copy`** or **`xcopy.exe`** command to copy the user data to another drive.
> [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands) article.
3. To reset the device by using a Surface recovery image, follow the instructions in the article [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).
#### Step 3: Restore the default PCR values
To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values.
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Restart the device, and then edit the UEFI settings to set the **Secure Boot** option to **Microsoft Only**.
3. Restart the device and sign into Windows.
4. Open an elevated PowerShell window and run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
2. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, *\<DriveLetter\>* is the letter that is assigned to the drive.
3. Run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
> [!IMPORTANT]
> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker) must be used and the **Reboot Count** parameter must be set to either of the following values:
>
> - **2** or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to **2** will cause BitLocker to resume after the device restarts twice.
>
> - **0**: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker) or another mechanism needs to be used to resume BitLocker protection.
To suspend BitLocker while installing TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window and run the following PowerShell cmdlet:
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this PowerShell cmdlet, *\<DriveLetter\>* is the letter that is assigned to the drive.
2. Install the Surface device driver and firmware updates.
3. After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet:
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
<!--
REMOVING THIS STATEMENT SINCE THIS IS NOT NEEDED. BITLOCKER WAS ONLY SUSPENDED. IT WAS NOT DISABLED AND THE DRIVE WAS NEVER DECRYPTED. STEP 3 ABOVE ALREADY RESUMES BITLOCKER SO RE-ENABLING AND/OR REENCRYPTING IS NOT NEEDED.
To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
-->
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO VERSIONS OF WINDOWS 10 THAT HAVE BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## After installing an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device is running Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016 and Hyper-V is enabled. After installing an affected update and restart the device, the device enters BitLocker Recovery mode and error code 0xC0210000 is displayed.
### Workaround
If the device is already in this state, Windows can be successfully started after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from the organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. Solutions that store the BitLocker password could include Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune.
2. On the Recovery screen, press **Enter**. When prompted, enter the recovery password.
3. If the device starts in the (WinRE) and prompts for the recovery password again, select **Skip the drive**.
4. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
5. In the Command Prompt window, run the following commands:
```cmd
manage-bde.exe -unlock c: -rp <48 digit numerical recovery password separated by "-" in 6 digit group>
manage-bde.exe -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
6. Select **Continue**. Windows should start.
7. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -enable c:
```
> [!IMPORTANT]
> Unless BitLocker is suspended before restarting the device, this issue recurs.
To temporarily suspend BitLocker just before restarting the device, open an elevated Command Prompt window and run the following command:
```cmd
manage-bde.exe -protectors -disable c: -rc 1
```
### Resolution
To resolve this issue, install the appropriate update on the affected device:
- For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
-->
## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
Consider the following scenario:
A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed:
> Recovery
>
> Your PC/Device needs to be repaired.
> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
>
> Error code 0xc0210000
>
> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
### Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
TPM 1.2 doesn't support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
### Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
To resolve this issue, use one of the following two solutions:
- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.

126
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -1,126 +0,0 @@
---
title: BitLocker and TPM other known issues
description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker and TPM: other known issues
This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
## Azure AD: Windows Hello for Business and single sign-on don't work
Consider the following scenario:
An Azure Active Directory (Azure AD)-joined client computer can't authenticate correctly. The computer is experiencing one or more of the following symptoms:
- Windows Hello for Business doesn't work
- Conditional access fails
- Single sign-on (SSO) doesn't work
Additionally, in Event Viewer, the computer logs the following Event ID 1026 event under **Windows Logs** > **System**:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
> Date: \<Date and Time>
> Event ID: 1026
> Task Category: None
> Level: Information
> Keywords:
> User: SYSTEM
> Computer: \<Computer name\>
> Description:
> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.
> Error: The TPM is defending against dictionary attacks and is in a time-out period.
> Additional Information: 0x840000
### Cause of Azure AD: Windows Hello for Business and single sign-on don't work
This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.
Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution for Azure AD: Windows Hello for Business and single sign-on don't work
To verify the status of the PRT, use the [dsregcmd.exe /status](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. If the value of the attribute is **No**, it may indicate that the computer couldn't present its certificate for authentication.
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (`tpm.msc`) by selecting **Start** and entering **tpm.msc** in the **Search** box.
2. If a notice is displayed to either unlock the TPM or reset the lockout, contact the hardware vendor to determine whether there's a known fix for the issue.
3. If the issue is still not resolved after contacting the hardware vendor, clear and reinitialize the TPM by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
If in Step 2 there's no notice to either unlock the TPM or reset the lockout, review the UEFI firmware/BIOS settings of the computer for any setting that can be used to reset or disable the lockout.
## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
Consider the following scenario:
When trying to open the TPM management console on a Windows computer that uses TPM version 1.2, the following message is displayed:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
> The device that is required by this cryptographic provider is not ready for use.
> TPM Spec version: TPM v1.2
On a different device that is running the same version of Windows, the TPM management console can be opened.
### Cause (suspected) of TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
These symptoms indicate that the TPM has hardware or firmware issues.
### Resolution for TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
To resolve the issue:
- Switch the TPM operating mode from version 1.2 to version 2.0 if the device has this option available.
- If switching the TPM from version 1.2 to version 2.0 doesn't resolve the issue, or if the device doesn't have TPM version 2.0 available, contact the hardware vendor to determine whether there's a UEFI firmware update/BIOS update/TPM update for the device. If there's an update available, install the update to see if it resolves the issue.
- If updating the UEFI firmware/BIOS doesn't resolve the issue, or if there's no update available, consider replacing the device motherboard by contacting the hardware vendor. After the motherboard has been replaced, switch the TPM operating mode from version 1.2 to version 2.0 if this option is available.
> [!WARNING]
> Replacing the motherboard will cause data in the TPM to be lost.
## Devices don't join hybrid Azure AD because of a TPM issue
When trying to join a device to a hybrid Azure AD, the join operation appears to fail.
To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
If the value of **AzureADJoined** is **No**, the join operation failed.
### Causes and resolutions for devices don't join hybrid Azure AD because of a TPM issue
This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events are displayed, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles:
- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering)
- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md)