Edits

windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md

@@ -11,34 +11,34 @@ manager: kaushika
 audience: ITPro
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/14/2019
+ms.date: 10/18/2019
 ---
 
 # BitLocker recovery: known issues
 
-This article describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
+This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues.
 
 > [!NOTE]
 > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors).
 
-## Windows 10 asks for a BitLocker recovery password even though you did not set up a recovery password
+## Windows 10 prompts for a non-existing BitLocker recovery password
 
-Windows 10 prompts you for a BitLocker recovery password. However, you have not configured a BitLocker recovery password.
+Windows 10 prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password.
 
 ### Resolution
 
-The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses two situations that may produce this symptom, and provides information about how to resolve the issue:
+The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue:
 
 - [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
 - [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
 
-## The recovery key for a laptop was not backed up, and the laptop is locked
+## The recovery password for a laptop was not backed up, and the laptop is locked
 
-You have a Windows 10 Home laptop, and you need to recover its hard drive. The drive was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery key was not backed up, and the usual user of the laptop is not available to provide the key.
+You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
 
 ### Resolution
 
-You can use either of the following approaches to manually back up or synchronize an online client's existing recovery information:
+You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
 
 - Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](https://docs.microsoft.com/windows/win32/secprov/bitlocker-drive-encryption-provider).
 
@@ -50,7 +50,8 @@ You can use either of the following approaches to manually back up or synchroniz
    manage-bde -protectors -adbackup C:
    ```
 
-BitLocker does not automatically manage this backup process. 
+> [!NOTE]
+> BitLocker does not automatically manage this backup process.  
 
 ## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
 
@@ -60,16 +61,16 @@ You have a tablet or slate device, and you try to test BitLocker Recovery by run
 Manage-bde -forcerecovery
 ```
 
-However, when you enter the recovery password, the device goes into state in which it cannot start.
+However, after you enter the recovery password, the device cannot start.
 
 ### Cause
 
 > [!IMPORTANT]
 > Tablet devices do not support the **manage-bde -forcerecovery** command.
 
-This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet device, it redirects the startup process to the Windows Recovery Environment (WindowsRE), which can process touch input.
+This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input.
 
-If WindowsRE detects the TPM protector on the hard drive, it performs a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard drive, so WindowsRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle, and therefore you can't boot to Windows.
+If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
 
 This behavior is by design for all versions of Windows.
 
@@ -81,31 +82,31 @@ To resolve the restart loop, follow these steps:
 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
 1. In the Command Prompt window, run the following commands :
    ```cmd
-   manage-bde –unlock C: -rp <48-digit BitLocker recovery key>
+   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
    manage-bde -protectors -disable C:
    ```
 1. Close the Command Prompt window.
 1. Shut down the device.
 1. Start the device. Windows should start as usual.
 
-## After you install updates to the UEFI or TPM firmware on a Surface device, BitLocker prompts for the recovery key
+## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
 
-You have a Surface device that has BitLocker Drive Encryption turned on. You install a firmware update that updates the firmware of the device TPM or changes the signature of the system firmware. For example, you install the Surface dTPM (IFX) update.
+You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
 
-You encounter one or more of the following symptoms on your Surface device:
+You experience one or more of the following symptoms on the Surface device:
 
-- At startup, you are prompted for your BitLocker recovery key. You enter the correct recovery key, but Windows doesn’t start up.
+- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up.
 - Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
-- Your Surface device appears to be in an infinite restart loop.
+- The Surface device appears to be in an infinite restart loop.
 
 ### Cause
 
-This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. Such a configuration results when, for example,
+This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
 
 - Secure Boot is turned off.
 - PCR values have been explicitly defined, such as by Group Policy.
 
-Devices that support Connected Standby (also known as InstantGO or Always On, Always Connected PCs), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://technet.microsoft.com/library/jj679890\(v=ws.11\).aspx?#About%20the%20Platform%20Configuration%20Register%20\(PCR\)).
+Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://technet.microsoft.com/library/jj679890\(v=ws.11\).aspx?#About%20the%20Platform%20Configuration%20Register%20\(PCR\)).
 
 ### Resolution
 
@@ -115,25 +116,18 @@ To verify the PCR values that are in use on a device, open and elevated Command
 manage-bde.exe -protectors -get \<OSDriveLetter\>:
 ```
 
-To resolve this issue and repair the device, follow these steps:
+To resolve this issue and repair the device, follow these steps.
 
-1. If your device is unable to start, even when you enter the correct BitLocker Recovery key, restore the ability to start by [disabling the TPM protectors on the boot drive](#step-1).
-1. If you cannot recover the device by using step 1, [use Surface Bare Metal Recovery (BMR) to recover data and reset your device](#step-2).
-1. To prevent the issue from occurring again, [restore the default PCR values](#3-restore-the-default-pcr-values).
-   > [!NOTE]
-   > If for some reason you have to use a different PCR configuration, you have to [suspend BitLocker during TPM or UEFI firmware updates](#suspend-bitlocker-during-tpm-or-uefi-firmware-updates).
-1. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
+#### <a id="step-1"></a>Step 1: Disable the TPM protectors on the boot drive
 
-#### <a id="step-1"></a>1. Disable the TPM protectors on the boot drive
-
-If you have installed a TPM or UEFI update and your device is unable to boot, even when you enter the correct BitLocker Recovery key, you can restore the ability to boot by using the BitLocker recovery key and a Surface recovery image to remove the TPM protectors from the boot drive.
+If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
 
 To do this, follow these steps:
 
-1. Obtain your BitLocker recovery key from [go.microsoft.com/fwlink/p/?LinkId=237614](http://go.microsoft.com/fwlink/p/?LinkId=237614), or if BitLocker is managed by other means such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator.
+1. Obtain your BitLocker recovery password from [go.microsoft.com/fwlink/p/?LinkId=237614](http://go.microsoft.com/fwlink/p/?LinkId=237614). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
 1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
-1. When prompted, select the following:
+1. When you are prompted, select the following items:
    1. Your operating system language.
    1. Your keyboard layout.
 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
@@ -142,52 +136,53 @@ To do this, follow these steps:
    manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
    manage-bde -protectors -disable <DriveLetter>:  
    ```
-   where \<*Password*\> is your BitLocker recovery key as obtained in step 1, and \<*DriveLetter*> is the drive letter assigned to your operating system drive.  
+   In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
    > [!NOTE]
-   > For more information about using this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock).
+   > For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock).
 1. Restart the computer.
-1. When prompted, enter your BitLocker recovery key as obtained in step 1.
+1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
 
 > [!NOTE]
 > After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
 
-#### <a id="step-2"></a>2. Use Surface BMR to recover data and reset your device
+#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
 
-To recover data from your Surface device if you are unable to start Windows, follow steps 1 through 5 of [step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
+To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
 
-1. In the Command Prompt window, run the following command:  
+1. At the command prompt, run the following command:  
    ```cmd
    manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
    ```
-   where \<*Password*\> is your BitLocker recovery key as obtained in step 1, and \<*DriveLetter*> is the drive letter assigned to your operating system drive.  
-1. After the drive is unlocked, use **copy** or **xcopy** commands to copy the user data to another drive.  
+   In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  
    > [!NOTE]
    > For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands).
   
-1. To reset your device by using a Surface recovery image: Follow the instructions in  "How to reset your Surface using your USB recovery drive" at [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
+1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
 
-#### 3. Restore the default PCR values
+#### Step 3: Restore the default PCR values
 
 To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values.
 
-To enable Secure Boot on a Surface device:
+To enable Secure Boot on a Surface device, follow these steps:
 
-1. Suspend BitLocker by opening an elevated Windows PowerShell window, and running the following cmdlet:
+1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
    ```ps
    Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
    ```
-   where <*DriveLetter*> is the letter assigned to your drive.
-1. Restart the device and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
-1. Restart the device and then open an elevated PowerShell window. Run the following cmdlet:  
+   In this command, <*DriveLetter*> is the letter that is assigned to your drive.
+1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
+1. Restart the device.
+1. Open an elevated PowerShell window, and run the following cmdlet:  
    ```ps
    Resume-BitLocker -MountPoint "<DriveLetter>:"
    ```
 
-To reset the PCR settings on the TPM:
+To reset the PCR settings on the TPM, follow these steps:
 
-1. Disable any Group Policies that configure the PCR settings, or remove the device from any groups that enforce such policies.  
+1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
    For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings).
-1. Suspend BitLocker by opening an elevated Windows PowerShell window, and running the following cmdlet:
+1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
    ```ps
    Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
    ```
@@ -197,14 +192,14 @@ To reset the PCR settings on the TPM:
    ```ps
    Resume-BitLocker -MountPoint "<DriveLetter>:"
 
-#### Suspend BitLocker during TPM or UEFI firmware updates
+#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
 
-You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
+You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
 
 > [!IMPORTANT]
 > TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values:
-> - **2** or greater. This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
-> - **0**. This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/en-us/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection.
+> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
+> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/en-us/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection.
 
 To suspend BitLocker while you install TPM or UEFI firmware updates:
 
@@ -212,26 +207,26 @@ To suspend BitLocker while you install TPM or UEFI firmware updates:
    ```ps
    Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
    ```
-   where <*DriveLetter*> is the letter assigned to your drive.
+   In this cmdlet <*DriveLetter*> is the letter htat is assigned to your drive.
 1. Install the Surface device driver and firmware updates.
-1. After you install the firmware updates, restart the computer and then open an elevated PowerShell window. Run the following cmdlet:  
+1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:  
    ```ps
    Resume-BitLocker -MountPoint "<DriveLetter>:"
    ```
 
-## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and gives error 0xC0210000
+To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
 
-You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016, and Hyper-V is enabled on the device. After you install an affected update and restart the computer, it enters BitLocker recovery mode and you see error code 0xC0210000.
+## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
+
+You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
 
 ### Workaround
 
-If your device is already in this state, follow these steps:
+If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
 
-you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WindowsRE)
-
-1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the key was stored when BitLocker Drive Encryption was first turned on.
-1. On the Recovery screen, press Enter. When prompted, enter the recovery password.
-1. If your device starts in the Windows Recovery Environment (WindowsRE) and prompts for the recovery key again, select **Skip the drive**.
+1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
+1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
+1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
 1. In the Command Prompt window, run the following commands:
    ```cmd
@@ -242,9 +237,9 @@ you can successfully start Windows after suspending BitLocker from the Windows R
    
    These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
    > [!NOTE]
-   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option only works inside the operating system and does not work in the recovery environment.
+   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
 1. Select **Continue**. Windows should start.
-1. After Windows has started, open an elevated Command Prompt (i.e. run Command Prompt as administrator) and run the following command:
+1. After Windows has started, open an elevated Command Prompt window and run the following command:
    ```cmd
    Manage-bde -protectors -enable c:
    ```
@@ -252,20 +247,22 @@ you can successfully start Windows after suspending BitLocker from the Windows R
 > [!IMPORTANT]
 > Unless you suspend BitLocker before you start the device, this issue recurs.
 
-To temporarily suspend BitLocker just before restarting the device, open an elevated Command Prompt window and run the following command:
+To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
+
 ```cmd
 Manage-bde -protectors -disable c: -rc 1
 ```
+
 ### Resolution
 
 To resolve this issue, install the appropriate update on the affected device:  
 
 - For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
-- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/en-us/help/4507450/windows-10-update-kb4507450)
+- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/en-us/help/4507460/windows-10-update-kb4507460)
 
-## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery key and gives error 0xC0210000
+## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
 
-You have a device that has TPM 1.2 and Windows 10 1809, and uses [Virtualization-based Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time you start the device, it enters BitLocker Recovery mode and you see error code 0xc0210000.
+You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000.
 
 ![Recovery Your PC/Device needs to be repaired](./images/4496645_en_1.png)
 
@@ -280,6 +277,6 @@ For more information about this technology, see [Windows Defender System Guard:
 To resolve this issue, do one of the following:
 
 - Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch.
-- Modify the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
+- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
 
    ![The Turn On Virtualization Based Security policy dialog box](./images/4496674_en_1.png)