deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Edits

Browse Source
This commit is contained in:
Teresa-Motiv 2019-10-18 15:08:29 -07:00
parent 720168fd72
commit 75abe52e2a
3 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -1,5 +1,5 @@
---
title: BitLocker cannot encrypt a drive known TPM issues
title: BitLocker cannot encrypt a drive known TPM issues
description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
ms.reviewer: kaushika
ms.prod: w10
@ -11,7 +11,7 @@ manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/7/2019
ms.date: 10/18/2019
---
# BitLocker cannot encrypt a drive: known TPM issues
@ -69,7 +69,7 @@ You have an environment that enforces the policy **Do not enable BitLocker until
### Cause
The TPM did not have sufficient permissions on the TPM Devices container in AD DS. Therefore, the BitLocker recovery key could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
The TPM did not have sufficient permissions on the TPM Devices container in AD DS. Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run.
This issue appears to be limited to computers that run versions of Windows that are older than Windows 10.

2
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -49,7 +49,7 @@ After Windows 7 was released, several other areas of BitLocker were improved:
- Windows PowerShell
- Windows Management Interface (WMI)
- **Integration with Azure Active Directory** (Azure AD). BitLocker can store keys in Azure AD to make them easier to recover.
- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.

14
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -11,7 +11,7 @@ manager: kaushika
audience: ITPro
ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting
ms.date: 10/14/2019
ms.date: 10/18/2019
---
# Enforcing BitLocker policies by using Intune: known issues
@ -82,7 +82,7 @@ The event information resembles the following:
### Cause
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start Windows RE.
Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
@ -90,7 +90,7 @@ If WinRE is not available on the device, provisioning stops.
### Resolution
You can resolve this issue by verifying the configuration of the disk partitions, the status of Windows RE, and the Windows Boot Loader configuration. To do this, follow these steps.
You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps.
#### Step 1: Verify the configuration of the disk partitions
@ -215,7 +215,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a
In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery key in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
@ -242,7 +242,7 @@ These events refer to Error code 0x80072f9a.
### Cause
These events indicate that the logged-on user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
The issue affects Windows 10 version 1809.
@ -331,9 +331,9 @@ During regular operations, BitLocker Drive Encryption generates events such as E
![Event ID 845, as shown in Event Viewer](./images/4509204_en_1.png)
You can also determine whether the BitLocker recovery key has been uploaded to Azure by checking the device details in the Azure AD Devices section.
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery key information as viewed in Azure AD](./images/4509205_en_1.png)
![BitLocker recovery information as viewed in Azure AD](./images/4509205_en_1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys: