deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Metadata/style update BitLocker 12

Browse Source
This commit is contained in:
Frank Rojas
2022-11-15 22:42:36 -05:00
parent d7d8da8771
commit 6f9260d8a5
6 changed files with 363 additions and 297 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -1,6 +1,6 @@
---
title: Prepare your organization for BitLocker Planning and policies (Windows 10)
description: This article for the IT professional explains how can you plan your BitLocker deployment.
title: Prepare the organization for BitLocker Planning and policies (Windows 10)
description: This article for the IT professional explains how can to plan for a BitLocker deployment.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
@ -15,7 +15,7 @@ ms.custom: bitlocker
ms.technology: itpro-security
---
# Prepare your organization for BitLocker: Planning and policies
# Prepare an organization for BitLocker: Planning and policies
*Applies to:*
@ -25,18 +25,22 @@ ms.technology: itpro-security
This article for the IT professional explains how to plan BitLocker deployment.
When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems.
When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
## Audit your environment
## Audit the environment
To plan your BitLocker deployment, understand your current environment. Do an informal audit to define your current policies, procedures, and hardware environment. Review your existing disk encryption software corporate security policies. If your organization isn't using disk encryption software, then none of these policies will exist. If you use disk encryption software, then you might need to change your organization's policies to use the BitLocker features.
To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then none of these policies will exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features.
To help you document your organization's current disk encryption security policies, answer the following questions:
To help document the organization's current disk encryption security policies, answer the following questions:
1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker?
2. What policies exist to control recovery password and recovery key storage?
3. What are the policies for validating the identity of users who need to perform BitLocker recovery?
4. What policies exist to control who in the organization has access to recovery data?
5. What policies exist to control computer decommissioning or retirement?
## Encryption keys and authentication
@ -48,51 +52,52 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers
The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data. And, help make sure a computer hasn't been tampered with while the system was offline.
Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
On computers that don't have a TPM version 1.2 or higher, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
### BitLocker key protectors
| Key protector | Description |
| - | - |
| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.|
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.|
| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
### BitLocker authentication methods
| Authentication method | Requires user interaction | Description |
| - | - | - |
| TPM only| No| TPM validates early boot components.|
| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.|
| *TPM only*| No| TPM validates early boot components.|
| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.|
**Will you support computers without TPM 1.2 or higher versions?**
#### Will computers without TPM 1.2 or higher versions be supported?
Determine whether you will support computers that don't have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support computers with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
**What areas of your organization need a baseline level of data protection?**
#### What areas of the organization need a baseline level of data protection?
The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
**What areas of your organization need a more secure level of data protection?**
#### What areas of the organization need a more secure level of data protection?
If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
**What multifactor authentication method does your organization prefer?**
#### What multifactor authentication method does the organization prefer?
The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes.
## TPM hardware configurations
In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) being used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
### TPM 1.2 states and initialization
@ -110,13 +115,13 @@ For more information about the TPM and the TCG, see the Trusted Computing Group:
Devices that don't include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
Use the following questions to identify issues that might affect the deployment in a non-TPM configuration:
- Are password complexity rules in place?
- Do you have budget for USB flash drives for each of these computers?
- Do your existing non-TPM devices support USB devices at boot time?
- Is there a budget for USB flash drives for each of these computers?
- Do existing non-TPM devices support USB devices at boot time?
Test your individual hardware platforms with the BitLocker system check option while you're enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material.
Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material.
## Disk configuration considerations
@ -125,17 +130,17 @@ To function correctly, BitLocker requires a specific disk configuration. BitLock
- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
- The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
Windows setup automatically configures the disk drives of your computer to support BitLocker encryption.
Windows setup automatically configures the disk drives of computers to support BitLocker encryption.
Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker.
Windows RE can also be used from boot media other than the local hard disk. If you don't install Windows RE on the local hard disk of BitLocker-enabled computers, then you can use different boot methods. For example, you can use Windows Deployment Services, CD-ROM, or USB flash drive for recovery.
Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS), CD-ROM, or USB flash drive can be used for recovery.
## BitLocker provisioning
In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, `manage-bde` tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
@ -145,7 +150,7 @@ Administrators can enable BitLocker before to operating system deployment from t
The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption.
Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption.
Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption.
With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.
@ -155,7 +160,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information:
Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered.
**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > ***drive type*** > **Choose how BitLocker-protected drives can be recovered**.
By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
@ -167,7 +172,7 @@ The following recovery data is saved for each computer object:
- **Key package data**
With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
With this key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
## FIPS support for recovery password protector
@ -176,21 +181,25 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLoc
> [!NOTE]
> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [The recovery password for Windows BitLocker isn't available when FIPS compliant policy is set in Windows](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
But on computers running these supported systems with BitLocker enabled:
However, on computers running these supported systems with BitLocker enabled:
- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm.
- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords.
- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not.
On Windows Server 2012 R2 and Windows 8.1 and older, you can't use recovery passwords generated on a system in FIPS mode. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead.
On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generated on a system in FIPS mode can't be used. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead.
## More information
## Related articles
- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)

133
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -24,7 +24,7 @@ This article describes the procedure to protect cluster shared volumes (CSVs) an
BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
## <a href="" id="configuring-bitlocker-on-cluster-shared-volumes-"></a>Configuring BitLocker on Cluster Shared Volumes
## Configuring BitLocker on Cluster Shared Volumes
### Using BitLocker with clustered volumes
@ -32,146 +32,150 @@ Volumes within a cluster are managed with the help of BitLocker based on how the
> [!IMPORTANT]
> SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks:
- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool.
- It must put the resource into maintenance mode before BitLocker operations are completed.
Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
> [!NOTE]
> Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption.
If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. The **`manage-bde.exe -WipeFreeSpace`** command can't be used to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **`manage-bde.exe -WipeFreeSpace`** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
### Active Directory-based protector
You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place:
An Active Directory Domain Services (AD DS) protector can also be used for protecting clustered volumes held within the AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place:
- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request.
- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request.
- BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
1. Clear key
2. Driver-based auto-unlock key
3. **ADAccountOrGroup** protector
a. Service context protector
b. User protector
4. Registry-based auto-unlock key
> [!NOTE]
> A Windows Server 2012 or later domain controller is required for this feature to work properly.
### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
BitLocker encryption is available for disks before these disks are added to a cluster storage pool.
> [!NOTE]
> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool.
The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool.
The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
To turn on BitLocker for a disk before adding it to a cluster:
1. Install the BitLocker Drive Encryption feature if it isn't already installed.
2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it.
3. Identify the name of the cluster with Windows PowerShell.
```powershell
``` powershell
Get-Cluster
```
4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
```powershell
4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
> [!WARNING]
> You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
> An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
5. Repeat the preceding steps for each disk in the cluster.
6. Add the volume(s) to the cluster.
### Turning on BitLocker for a clustered disk using Windows PowerShell
When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps:
When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps:
1. Install the BitLocker drive encryption feature if it isn't already installed.
2. Check the status of the cluster disk using Windows PowerShell.
```powershell
``` powershell
Get-ClusterResource "Cluster Disk 1"
```
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
```powershell
``` powershell
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
4. Identify the name of the cluster with Windows PowerShell.
```powershell
``` powershell
Get-Cluster
```
5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
```powershell
5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
> [!WARNING]
> You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster.
> An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster.
6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode:
```powershell
``` powershell
Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
```
7. Repeat the preceding steps for each disk in the cluster.
### Adding BitLocker-encrypted volumes to a cluster using manage-bde
### Adding BitLocker-encrypted volumes to a cluster using `manage-bde.exe`
You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
1. Verify that the BitLocker drive encryption feature is installed on the computer.
2. Ensure new storage is formatted as NTFS.
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example):
- `manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync`
3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage:
- The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
``` syntax
manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync
```
1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
- Once the disk is clustered, it's enabled for CSV.
5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
1. If the volume isn't BitLocker enabled, traditional cluster online operations occur.
2. If the volume is BitLocker enabled, the following check occurs:
2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
- If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**".
6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**".
CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task:
CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example:
- Utilize the **manage-bde -status** command with a path to the volume.
The path must be one that is inside the CSV namespace as seen in the example command line below.
```powershell
manage-bde -status "C:\ClusterStorage\volume1"
``` syntax
manage-bde.exe -status "C:\ClusterStorage\volume1"
```
### Physical disk resources
Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available.
Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking, or unlocking volumes require a context to perform. For example, a physical disk resource can't unlock or decrypt if it isn't administering the cluster node that owns the disk resource because the disk resource isn't available.
### Restrictions on BitLocker actions with cluster volumes
@ -179,31 +183,38 @@ The following table contains information about both physical disk resources (tha
| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode |
|--- |--- |--- |--- |--- |
|**Manage-bde -on**|Blocked|Blocked|Blocked|Allowed|
|**Manage-bde -off**|Blocked|Blocked|Blocked|Allowed|
|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed|
|**Manage-bde -lock**|Blocked|Blocked|Blocked|Allowed|
|**manage-bde -wipe**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe -on`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe -off`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe Pause/Resume`**|Blocked|Blocked**|Blocked|Allowed|
|**`Manage-bde.exe -lock`**|Blocked|Blocked|Blocked|Allowed|
|**`Manage-bde.exe -wipe`**|Blocked|Blocked|Blocked|Allowed|
|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed|
|**manage-bde -protector -add**|Allowed|Allowed|Blocked|Allowed|
|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed|
|**manage-bde -autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed|
|**`Manage-bde.exe -protector -add`**|Allowed|Allowed|Blocked|Allowed|
|**`Manage-bde.exe -protector -delete`**|Allowed|Allowed|Blocked|Allowed|
|**`Manage-bde.exe -autounlock`**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
|**`Manage-bde.exe -upgrade`**|Allowed|Allowed|Blocked|Allowed|
|**Shrink**|Allowed|Allowed|Blocked|Allowed|
|**Extend**|Allowed|Allowed|Blocked|Allowed|
> [!NOTE]
> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node.
> Although the **`manage-bde.exe -pause`** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node.
In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process.
### Other considerations when using BitLocker on CSV2.0
Some other considerations to take into account for BitLocker on clustered storage include:
- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete.
- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.

53
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -16,25 +16,26 @@ ms.custom: bitlocker
# Guidelines for troubleshooting BitLocker
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes your troubleshooting process much easier.
This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier.
## Review the event logs
Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**:
- **BitLocker-API**. Review the management log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-API/BitLocker Operational
- Microsoft-Windows-BitLocker-API/BitLocker Management
- **Microsoft-Windows-BitLocker-API/Management**
- **Microsoft-Windows-BitLocker-API/Operational**
- **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled
- **BitLocker-DrivePreparationTool**. Review the admin log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin**
- **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational**
Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources.
Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources.
To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) cmdlet.
To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used.
For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
@ -48,7 +49,7 @@ To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated t
Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
```
You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
- To display BitLocker-related information:
@ -83,11 +84,11 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
> [!NOTE]
> If you intend to contact Microsoft Support, it is recommended that you export the logs listed in this section.
> When contacting Microsoft Support, it is recommended to export the logs listed in this section.
## Gather status information from the BitLocker technologies
Open an elevated Windows PowerShell window, and run each of the following commands.
Open an elevated Windows PowerShell window, and run each of the following commands:
|Command |Notes |
| --- | --- |
@ -99,52 +100,52 @@ Open an elevated Windows PowerShell window, and run each of the following comman
## Review the configuration information
1. Open an elevated Command Prompt window, and run the following commands.
1. Open an elevated Command Prompt window, and run the following commands:
|Command |Notes |
| --- | --- |
|[**gpresult.exe /h \<Filename>**](/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. |
|[**msinfo.exe /report \<Path> /computer&nbsp;\<ComputerName>**](/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |
1. Open Registry Editor, and export the entries in the following subkeys:
2. Open Registry Editor, and export the entries in the following subkeys:
- **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
- **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
- **`HKLM\SOFTWARE\Policies\Microsoft\FVE`**
- **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`**
## Check the BitLocker prerequisites
Common settings that can cause issues for BitLocker include the following scenarios:
- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM.
- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE.
- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE.
- The system-reserved partition must use the correct format.
- On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
- On legacy computers, the system-reserved partition must be formatted as NTFS.
- If the device that you're troubleshooting is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
- If the device being troubleshot is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
## Next steps
If the information that you've examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior you see. The information that you've gathered helps you narrow down the areas to investigate.
Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate.
- If you're working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker can't encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker can't encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker can't encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
- If BitLocker doesn't behave as expected when you recover an encrypted drive, or if you didn't expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).

69
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker cannot encrypt a drive known issues
title: BitLocker can't encrypt a drive known issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
ms.reviewer: kaushika
ms.technology: itpro-security
@ -14,58 +14,63 @@ ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known issues
# BitLocker can't encrypt a drive: known issues
This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive
## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:
When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
### Cause
### Cause of **Error 0x80310059**
This issue may be caused by settings that are controlled by group policy objects (GPOs).
### Resolution
### Resolution for **Error 0x80310059**
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
**`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
1. Delete the following entries:
- **OSPlatformValidation\_BIOS**
- **OSPlatformValidation\_UEFI**
- **PlatformValidation**
2. Delete the following entries:
1. Exit registry editor, and turn on BitLocker drive encryption again.
- **`OSPlatformValidation_BIOS`**
- **`OSPlatformValidation_UEFI`**
- **`PlatformValidation`**
## "Access is denied" message when you try to encrypt removable drives
3. Exit registry editor, and turn on BitLocker drive encryption again.
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
<!--
REMOVING THIS SECTION SINCE IT ONLY APPLIES TO WINDOWS 10 VERSIONS THAT BEEN OUT OF SUPPORT FOR SEVERAL YEARS
## **Access is denied** message when attempting to encrypt removable drives
A computer is running Windows 10, version 1709 or version 1607. Encryption is attempted on a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
2. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password.
3. Follow the instructions on the page to enter a password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
4. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied."
5. The **Starting encryption** page displays the message **Access is denied.**
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
The message is received on any computer that runs Windows 10 version 1709 or version 1607, when any USB drive is used.
### Cause
### Cause of **Access is denied** message
The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
@ -73,35 +78,37 @@ To verify that this issue has occurred, follow these steps:
1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
1. At the command prompt, enter the following command:
2. At the command prompt, enter the following command:
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following:
The output of this command resembles the following output:
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
3. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
If `NT AUTHORITY\INTERACTIVE` is seen as highlighted in the output of this command, this line is the cause of the issue. Under typical conditions, the output should resemble the following output instead:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
### Resolution
### Resolution for **Access is denied** message
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```powershell
``` powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```
1. Restart the computer.
2. Restart the computer.
The issue should now be resolved.
The issue should now be resolved.
-->

120
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,6 +1,6 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
title: BitLocker can't encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
@ -14,116 +14,144 @@ ms.date: 11/08/2022
ms.custom: bitlocker
---
# BitLocker cannot encrypt a drive: known TPM issues
# BitLocker can't encrypt a drive: known TPM issues
This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
> [!NOTE]
> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed
When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message:
### Cause
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of the TPM being locked
The TPM is locked out.
### Resolution
### Resolution for the TPM being locked
To resolve this issue, follow these steps:
To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps:
1. Open an elevated PowerShell window and run the following script:
```powershell
``` powershell
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8
3. Retry starting BitLocker drive encryption.
## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM.
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
3. Sign on to Windows and retry starting BitLocker drive encryption.
### Cause
> [!WARNING]
> Resetting and clearing the TPM can cause data loss.
## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`**
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> **The TPM is defending against dictionary attacks and is in a time-out period.**
### Cause of TPM failing to prepare
The TPM is locked out.
### Resolution
### Resolution for TPM failing to prepare
To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
To resolve this issue, disable and re-enable the TPM with the following steps:
1. Restart the device, and change the BIOS configuration to disable the TPM.
2. Restart the device again, and return to the TPM management console. Following message is displayed:
> Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens.
3. Restart the device, and change the BIOS configuration to enable the TPM.
4. Restart the device, and return to the TPM management console.
2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens.
If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows.
4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed:
> **Compatible TPM cannot be found**
>
> **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.**
This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device.
5. Restart the device and enter the UEFI/BIOS configuration screens again.
6. Reenable the TPM in the UEFI/BIOS configuration screens.
7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows.
8. Once signed into Windows, return to the TPM management console.
If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can cause data loss.
## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**
You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**.
### Cause
### Cause of **`Access Denied`** or **`Insufficient Rights`**
The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run.
The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on.
This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
### Resolution
### Resolution for **`Access Denied`** or **`Insufficient Rights`**
To verify that you have correctly identified this issue, use one of the following methods:
To verify this issue is occurring, use one of the following two methods:
- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy.
- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=<domain>,DC=com`** container.
1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
```powershell
``` powershell
Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
```
In this command, *ComputerName* is the name of the affected computer.
1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**.
## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`**
Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled**
You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
### Cause
### Cause of **0x80072030: There is no such object on the server**
The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
### Resolution
### Resolution for **0x80072030: There is no such object on the server**
To resolve this issue, follow these steps:
The issue can be resolved with the following steps:
1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
3. In the script, modify the value of **strPathToDomain** to your domain name.
3. In the script, modify the value of **strPathToDomain** to the organization's domain name.
4. Open an elevated PowerShell window, and run the following command:
```powershell
cscript <Path>Add-TPMSelfWriteACE.vbs
``` syntax
cscript.exe <Path>\Add-TPMSelfWriteACE.vbs
```
In this command \<*Path*> is the path to the script file.
In this command, \<*Path*> is the path to the script file.
For more information, see the following articles:
- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)

194
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -1,6 +1,6 @@
---
title: BitLocker configuration known issues
description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
ms.reviewer: kaushika
ms.technology: itpro-security
ms.prod: windows-client
@ -16,71 +16,81 @@ ms.custom: bitlocker
# BitLocker configuration: known issues
This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
## BitLocker encryption is slower in Windows 10 and Windows 11
In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance.
To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.
To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives.
> [!IMPORTANT]
> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
### Benefits of using the new conversion model
By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began&mdash;that is, potentially compromised data&mdash;can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial.
By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial.
By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
### Other BitLocker enhancements
After Windows 7 was released, several other areas of BitLocker were improved:
Several other areas of BitLocker were improved in version of Windows released after Windows 7:
- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
- BitLocker Wizard
- manage-bde
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces:
- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
- BitLocker Wizard
- manage-bde.exe
- Group Policy Objects (GPOs)
- Mobile Device Management (MDM) policy
- Windows PowerShell
- Windows Management Interface (WMI)
- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup.
- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart.
- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption
Consider the following scenario:
1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V.
1. You add data to the data disk as it encrypts.
1. You restart the VM, and observe the following:
- The system volume is not encrypted.
- The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
- You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V.
### Cause
2. Data is added to the data disk as it encrypts.
This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM.
3. The VM is restarted and the following behavior is observed:
### Resolution
- The system volume isn't encrypted.
- The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**.
- A message similar to the following message is displayed:
> **You need to format the disk in \<*drive_letter:*> drive before you can use it**
### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM.
### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
To resolve this issue, remove the third-party software.
## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a "production snapshot" of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
Consider the following scenario:
A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup.
This issue occurs regardless of any of the following variations in the environment:
@ -88,94 +98,94 @@ This issue occurs regardless of any of the following variations in the environme
- Whether the VMs are generation 1 or generation 2.
- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
In the domain controller application log, the VSS event source records event ID 8229:
In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**:
> ID: 8229
> Level: Warning
> Source: VSS
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:
> ID: 8229<br>
> Level: Warning<br>
> Source: VSS<br>
> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.<br>
>
> Changes that the writer made to the writer components while handling the event will not be available to the requester.<br>
>
> Check the event log for related events from the application hosting the VSS writer.
>
> Operation:<br>
> PostSnapshot Event
>
> Context:
> Execution Context: Writer
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
> Writer Name: NTDS
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
> Command Line: C:\\Windows\\system32\\lsass.exe
>
> Process ID: 680
>
> Context:<br>
> Execution Context: Writer<br>
> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}<br>
> Writer Name: NTDS<br>
> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}<br>
> Command Line: C:\\Windows\\system32\\lsass.exe<br>
>
> Process ID: 680
In the domain controller Directory Services event log, you see an event that resembles the following:
In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event:
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168
> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168<br>
> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
>
> &nbsp;Additional Data
> &nbsp;&nbsp;Error value (decimal): -1022
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
>
> Additional Data<br>
> Error value (decimal): -1022<br>
>
> Error value (hex): fffffc02
>
> Internal ID: 160207d9
> [!NOTE]
> The internal ID of this event may differ based on your operating system release and path level.
> The internal ID of this event may differ based on the operating system release version and patch level.
After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:
When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
> Writer name: 'NTDS'
> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
> &nbsp;&nbsp;State: \[11\] Failed
> &nbsp;&nbsp;Last error: Non-retryable error
``` error
Writer name: 'NTDS'
Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
State: [11] Failed
Last error: Non-retryable error
```
Additionally, you cannot back up the VMs until you restart them.
Additionally, the VMs can't be backed up until they're restarted.
### Cause
### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
This behavior is by design.
### Workaround
### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
There is one supported way to perform backup and restore of a virtualized domain controller:
A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system.
- Run Windows Server Backup in the guest operating system.
If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended.
For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
### More information
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
```console
``` console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
```
The operation produces the following call stack:
```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
```