New files for Bitlocker troubleshooting

CI 105366

windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md

@@ -0,0 +1,67 @@
+# Troubleshoot BitLocker
+
+
+## Collect data
+
+### Review the Event logs on the affected computer
+
+Open Event Viewer and review the following logs under applications and services logs\\Microsoft\\Windows:
+
+- **BitLocker-API**. Review the Management log and the Operational log, and any other logs that are generated in this folder.
+- **BitLocker-DrivePreparationTool**. Review the Admin log and the Operational log, and any other logs that are generated in this folder.
+
+> [!NOTE]
+> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section. Use the [wevtutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil) command-line tool to export logs.
+
+### Check the status of the components that BitLocker uses
+
+Open an elevated Windows PowerShell window, and run each of the following commands:
+
+|Command |Notes |
+| - | - |
+|[**get-tpm \> C:\\TPM.txt**](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
+|[**manage-bde –status \> C:\\BDEStatus.txt**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
+|[**manage-bde c: <br />-protectors -get \>&nbsp;C:\\Protectors**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key.  |
+|[**reagentc /info \> C:\\reagent.txt**](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about the current status of the Windows Recovery Environment (Windows RE) and any available recovery image on an online or offline image |
+
+### Other information to gather
+
+1. Open an elevated Command Prompt window, and run the following commands:
+
+   |Command |Notes |
+   | - | - |
+   |[**gpresult /h \<Filename>**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult) |Exports the resultant set of Group Policy, and saves the information as an HTML file. |
+   |[**msinfo /report \<Path> /computer&nbsp;\<ComputerName>**](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a TXT file. |
+
+1. Open Registry Editor, and export the entries in the following subkeys:
+
+   - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
+   - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
+
+## Check the BitLocker prerequisites
+
+Common settings that can cause problems for BitLocker&mdash;or may help you narrow down the cause of the problem&mdash;include the following:
+
+- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
+- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of Windows RE.
+- The system reserved partition must use the correct format.
+  - On Unified Extensible Firmware Interface (UEFI) computers, the system reserved partition must be formatted as FAT32.
+  - On legacy computers, the system reserved partition must be formatted as NTFS.
+- If the device that you are troubleshooting is a Slate, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates**.
+
+For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-basic-deployment#using-bitlocker-to-encrypt-volumes)
+
+## Next steps
+
+If the information that you have examined so far indicates a specific problem (for example, if Windows RE is not enabled), the problem that you have may have a straightforward fix.
+
+Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information you have gathered can help you narrow down the areas to investigate.
+
+- If you are working with a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune--known issues](ts-bitlocker-intune-issues.md).
+- If BitLocker does not encrypt a drive and you note errors or events that are related to the TPM, see [BitLocker and TPM--known issues](ts-bitlocker-tpm-issues.md).
+- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive--known issues](ts-bitlocker-cannot-encrypt-issues.md).
+- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock--known issues](ts-bitlocker-network-unlock-issues.md.md).
+- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery--known issues](ts-bitlocker-recovery-issues.md).
+- If BitLocker does not behave as expected or the encrypted drive does not behave as expected, see [BitLocker configuration--known issues](ts-bitlocker-config-issues.md).
+
+If you decide to contact Microsoft Support to resolve your issue, remember to keep the information that you have gathered handy.

windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md

@@ -0,0 +1,291 @@
+---
+title: Troubleshoot BitLocker configuration scenarios
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+# Troubleshoot BitLocker configuration scenarios
+
+<a id="list"></a>
+- ["Access is denied" message when you try to encrypt removable drives](#scenario-1)
+- [In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7](#scenario-2)
+- [Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption](#scenario-3)
+- [Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks](#scenario-4)
+- [Cannot turn on BitLocker encryption on Windows 10 Professional](#scenario-5)
+
+## <a id="scenario-1"></a>"Access is denied" message when you try to encrypt removable drives
+
+### Symptoms
+
+You have a computer that is running Windows 10, version 1607 or version 1709.
+
+You try to encrypt a USB drive by following these steps:
+
+1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
+1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
+1. Follow the instructions on the page to enter your password and then re-enter it.
+1. On the **are you ready to encrypt this drive?** page, select **Start encrypting**.
+1. The **Starting encryption** page displays the message "Access is denied."
+
+You receive this message on any computer that runs Windows 10 version 1607 or version 1709, and with any USB drive.
+
+### Cause
+
+The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
+
+To verify the presence of this issue, follow these steps:
+
+1. On an affected computer, open an elevated Command Prompt window and an elevated Powershell window.
+
+1. In the Command Prompt window, enter the following command:
+
+   ```cmd
+   C:\>sc sdshow bdesvc
+   ```
+
+   The output of this command resembles the following:
+
+   > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+
+1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
+
+   ![](./images/ts-bitlocker-usb-sddl.png)
+
+   If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the problem. Under normal conditions, the output should resemble the following:
+
+   ![default](./images/ts-bitlocker-usb-default-sddl.png)
+
+> [!NOTE]
+> Group Policy Objects that change the security descriptors of services have been known to cause this issue.
+
+### Resolution
+
+1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
+
+   ```ps
+   sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+   ```
+
+1. Restart the computer.
+
+The issue should now be resolved.
+
+[Back to list](#list)
+
+## <a id="scenario-2"></a>In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/3217793>
+
+### Symptoms
+
+Encryption on the same hardware takes longer on Window 10 as compared to Windows 7.
+
+### Cause
+
+In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. this behavior reduces the chance of BitLocker affecting the computer's performance.
+
+To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), ensures that on all client SKUs and on any internal drives, any new disk writes are always encrypted *as soon as you turn on BitLocker*.
+
+> [!IMPORTANT]
+> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
+
+#### Benefits of using the new conversion model
+
+Using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100% complete. Before the process completes, the data that existed on the drive before encryption began&mdash;potentially compromised data&mdash;can still be read and written without encryption. Therefore, you must wait for the encryption process to complete before you store sensitive data on the drive. Depending on the size of the drive, this wait time can be substantial.
+
+Using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker, before the encryption process finishes. You can use the drive immediately, and the encryption process does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
+
+#### Other BitLocker enhancements
+
+After Windows 7 was released, several other areas of BitLocker were improved:
+
+- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text.
+
+   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
+
+- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
+   -  BitLocker Wizard
+   - manage-bde
+   - Group Policy Objects (GPOs)
+   - Mobile Device Managment (MDM) policy
+   - Windows PowerShell
+   - Windows Management Interface (WMI)
+
+- **Integration with Azure Active Directory**. BitLocker can store keys in Azure AD, which makes them easier to recover.
+
+- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
+
+- **[BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
+
+- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
+
+- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
+
+[Back to list](#list)
+
+## <a id="scenario-3"></a>Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
+
+### Symptoms
+
+1. You turn on BitLocker on a generation-2 virtual machine that runs on Hyper-V.
+1. You add data to the data disk as it encrypts.
+1. You restart the virtual machine, and observe the following:
+   - The system volume is not encrypted.
+   - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
+   - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
+
+
+### Cause
+
+The third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the virtual machine.
+
+### Resolution
+
+To resolve this issue, remove the third-party software.
+
+{Note to reviewers: the original text says "We uninstalled the 3rd party Storage craft software and could fix the issue." This section needs to include *how* to fix the issue. Does the VM recognize the drive as soon as the 3rd-party app is gone? Do you have to restore the drive from a backup, then re-encrypt it?}
+
+[Back to list](#list)
+
+## <a id="scenario-4"></a>Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
+
+### Symptoms
+
+You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting virtual machines (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
+
+This issue occurs regardless of any of the following variations in the environment:
+
+- How the domain controller volumes are unlocked.
+- Whether the virtual machines are generation 1 or generation 2.
+- whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
+
+In the domain controller Application Event Log, the VSS event source records Event ID 8229:
+
+> ID: 8229  
+> Level: Warning  
+> ‎Source: VSS  
+> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
+>  
+> Changes that the writer made to the writer components while handling the event will not be available to the requester.  
+>  
+> Check the event log for related events from the application hosting the VSS writer.  
+>  
+> Operation:  
+> PostSnapshot Event
+>  
+> Context:  
+> Execution Context: Writer
+> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> Writer Name: NTDS  
+>  Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
+> Command Line: C:\\Windows\\system32\\lsass.exe
+>  
+> Process ID: 680  
+
+In the domain controller Directory Services Event Log, you see an event that resembles the following:
+
+> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168  
+> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
+>  
+>‎ &nbsp;Additional Data  
+> ‎&nbsp;&nbsp;Error value (decimal):  -1022  
+>  
+> Error value (hex): fffffc02  
+>  
+> Internal ID: 160207d9  
+
+The internal ID of this event may differ based on your operating system release and path level.
+
+After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:  
+
+> Writer name: 'NTDS'  
+> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}  
+> &nbsp;&nbsp;State: \[11\] Failed  
+> &nbsp;&nbsp;Last error: Non-retryable error  
+
+Additionally, you cannot back up the virtual machines until you restart them.
+
+### Cause
+
+After VSS creates a snapshot of a volume, the VSS writer performs "post snapshot" actions. In the case of a "production snapshot", which you initiate from the host server, Hyper-V attempts to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and eventually fails the snapshot.
+
+This behavior is by design.
+
+### Workaround
+
+There is one supported way to perform backup and restore of a virtualized domain controller:
+
+- Run Windows Server Backup in the guest operating system.
+
+If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
+
+For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
+
+### More information
+
+When LSASS processes the access request of the VSS NTDS writer, the result is an error that resembles the following:
+
+```
+\# for hex 0xc0210000 / decimal -1071579136
+‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
+‎ \# This volume is locked by BitLocker Drive Encryption.
+```
+
+The operation produces the following callstack:
+
+```
+\# Child-SP RetAddr Call Site
+‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
+‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
+‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
+‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
+‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
+‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
+‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
+‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
+‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
+‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
+‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
+‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
+```
+
+## <a id="scenario-5"></a>Cannot turn on BitLocker encryption on Windows 10 Professional
+
+### Symptom
+
+When you turn on BitLocker encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
+
+> ERROR: An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
+
+### Cause
+
+Settings that are controlled by Group Policy Objects (GPOs) may be responsible for this issue.
+
+### Resolution
+
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
+
+To resolve this issue, follow these steps:
+
+1. Open Registry Editor, and navigate to **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
+
+1. Delete the following sub-keys:
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\OSPlatformValidation\_BIOS**
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\OSPlatformValidation\_UEFI**
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\PlatformValidation**
+
+1. Exit Registry Editor, and turn on BitLocker encryption again.
+
+[Back to list](#list)

windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md

@@ -0,0 +1,291 @@
+---
+title: Troubleshoot BitLocker configuration scenarios
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+# Troubleshoot BitLocker configuration scenarios
+
+<a id="list"></a>
+- ["Access is denied" message when you try to encrypt removable drives](#scenario-1)
+- [In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7](#scenario-2)
+- [Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption](#scenario-3)
+- [Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks](#scenario-4)
+- [Cannot turn on BitLocker encryption on Windows 10 Professional](#scenario-5)
+
+## <a id="scenario-1"></a>"Access is denied" message when you try to encrypt removable drives
+
+### Symptoms
+
+You have a computer that is running Windows 10, version 1607 or version 1709.
+
+You try to encrypt a USB drive by following these steps:
+
+1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
+1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
+1. Follow the instructions on the page to enter your password and then re-enter it.
+1. On the **are you ready to encrypt this drive?** page, select **Start encrypting**.
+1. The **Starting encryption** page displays the message "Access is denied."
+
+You receive this message on any computer that runs Windows 10 version 1607 or version 1709, and with any USB drive.
+
+### Cause
+
+The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
+
+To verify the presence of this issue, follow these steps:
+
+1. On an affected computer, open an elevated Command Prompt window and an elevated Powershell window.
+
+1. In the Command Prompt window, enter the following command:
+
+   ```cmd
+   C:\>sc sdshow bdesvc
+   ```
+
+   The output of this command resembles the following:
+
+   > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+
+1. Copy this output, and then use it as part of the [**ConvertFrom-SddlString**](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows:
+
+   ![](./images/ts-bitlocker-usb-sddl.png)
+
+   If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the problem. Under normal conditions, the output should resemble the following:
+
+   ![default](./images/ts-bitlocker-usb-default-sddl.png)
+
+> [!NOTE]
+> Group Policy Objects that change the security descriptors of services have been known to cause this issue.
+
+### Resolution
+
+1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
+
+   ```ps
+   sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
+   ```
+
+1. Restart the computer.
+
+The issue should now be resolved.
+
+[Back to list](#list)
+
+## <a id="scenario-2"></a>In Windows 10, BitLocker takes more time to encrypt a drive than in Windows 7
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/3217793>
+
+### Symptoms
+
+Encryption on the same hardware takes longer on Window 10 as compared to Windows 7.
+
+### Cause
+
+In both Windows 10 and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 10, BitLocker is less aggressive about requesting resources. this behavior reduces the chance of BitLocker affecting the computer's performance.
+
+To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), ensures that on all client SKUs and on any internal drives, any new disk writes are always encrypted *as soon as you turn on BitLocker*.
+
+> [!IMPORTANT]
+> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
+
+#### Benefits of using the new conversion model
+
+Using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100% complete. Before the process completes, the data that existed on the drive before encryption began&mdash;potentially compromised data&mdash;can still be read and written without encryption. Therefore, you must wait for the encryption process to complete before you store sensitive data on the drive. Depending on the size of the drive, this wait time can be substantial.
+
+Using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker, before the encryption process finishes. You can use the drive immediately, and the encryption process does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
+
+#### Other BitLocker enhancements
+
+After Windows 7 was released, several other areas of BitLocker were improved:
+
+- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text.
+
+   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software.
+
+- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
+   -  BitLocker Wizard
+   - manage-bde
+   - Group Policy Objects (GPOs)
+   - Mobile Device Managment (MDM) policy
+   - Windows PowerShell
+   - Windows Management Interface (WMI)
+
+- **Integration with Azure Active Directory**. BitLocker can store keys in Azure AD, which makes them easier to recover.
+
+- **[Direct memory access (DMA) port protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
+
+- **[BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
+
+- **Support for [Encrypted Hard Drives](https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
+
+- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
+
+[Back to list](#list)
+
+## <a id="scenario-3"></a>Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
+
+### Symptoms
+
+1. You turn on BitLocker on a generation-2 virtual machine that runs on Hyper-V.
+1. You add data to the data disk as it encrypts.
+1. You restart the virtual machine, and observe the following:
+   - The system volume is not encrypted.
+   - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
+   - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
+
+
+### Cause
+
+The third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the virtual machine.
+
+### Resolution
+
+To resolve this issue, remove the third-party software.
+
+{Note to reviewers: the original text says "We uninstalled the 3rd party Storage craft software and could fix the issue." This section needs to include *how* to fix the issue. Does the VM recognize the drive as soon as the 3rd-party app is gone? Do you have to restore the drive from a backup, then re-encrypt it?}
+
+[Back to list](#list)
+
+## <a id="scenario-4"></a>Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
+
+### Symptoms
+
+You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting virtual machines (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
+
+This issue occurs regardless of any of the following variations in the environment:
+
+- How the domain controller volumes are unlocked.
+- Whether the virtual machines are generation 1 or generation 2.
+- whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
+
+In the domain controller Application Event Log, the VSS event source records Event ID 8229:
+
+> ID: 8229  
+> Level: Warning  
+> ‎Source: VSS  
+> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
+>  
+> Changes that the writer made to the writer components while handling the event will not be available to the requester.  
+>  
+> Check the event log for related events from the application hosting the VSS writer.  
+>  
+> Operation:  
+> PostSnapshot Event
+>  
+> Context:  
+> Execution Context: Writer
+> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> Writer Name: NTDS  
+>  Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
+> Command Line: C:\\Windows\\system32\\lsass.exe
+>  
+> Process ID: 680  
+
+In the domain controller Directory Services Event Log, you see an event that resembles the following:
+
+> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168  
+> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
+>  
+>‎ &nbsp;Additional Data  
+> ‎&nbsp;&nbsp;Error value (decimal):  -1022  
+>  
+> Error value (hex): fffffc02  
+>  
+> Internal ID: 160207d9  
+
+The internal ID of this event may differ based on your operating system release and path level.
+
+After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:  
+
+> Writer name: 'NTDS'  
+> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
+> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}  
+> &nbsp;&nbsp;State: \[11\] Failed  
+> &nbsp;&nbsp;Last error: Non-retryable error  
+
+Additionally, you cannot back up the virtual machines until you restart them.
+
+### Cause
+
+After VSS creates a snapshot of a volume, the VSS writer performs "post snapshot" actions. In the case of a "production snapshot", which you initiate from the host server, Hyper-V attempts to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and eventually fails the snapshot.
+
+This behavior is by design.
+
+### Workaround
+
+There is one supported way to perform backup and restore of a virtualized domain controller:
+
+- Run Windows Server Backup in the guest operating system.
+
+If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
+
+For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
+
+### More information
+
+When LSASS processes the access request of the VSS NTDS writer, the result is an error that resembles the following:
+
+```
+\# for hex 0xc0210000 / decimal -1071579136
+‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
+‎ \# This volume is locked by BitLocker Drive Encryption.
+```
+
+The operation produces the following callstack:
+
+```
+\# Child-SP RetAddr Call Site
+‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
+‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
+‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
+‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
+‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
+‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
+‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
+‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
+‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
+‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
+‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
+‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
+```
+
+## <a id="scenario-5"></a>Cannot turn on BitLocker encryption on Windows 10 Professional
+
+### Symptom
+
+When you turn on BitLocker encryption on a computer that is running Windows 10 Professional, you receive a message that resembles the following:
+
+> ERROR: An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
+
+### Cause
+
+Settings that are controlled by Group Policy Objects (GPOs) may be responsible for this issue.
+
+### Resolution
+
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
+
+To resolve this issue, follow these steps:
+
+1. Open Registry Editor, and navigate to **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
+
+1. Delete the following sub-keys:
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\OSPlatformValidation\_BIOS**
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\OSPlatformValidation\_UEFI**
+   - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\PlatformValidation**
+
+1. Exit Registry Editor, and turn on BitLocker encryption again.
+
+[Back to list](#list)

windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md

@@ -0,0 +1,80 @@
+---
+title: Decode Measured Boot logs to track PCR changes
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+# Decode Measured Boot logs to track PCR changes
+
+From [https://internal.support.services.microsoft.com/en-us/help/4345799](https://internal.support.services.microsoft.com/en-us/help/4345799)
+
+[TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation)
+[Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices)
+
+Measured Boot logs are located under C:\\Windows\\Logs\\MeasuredBoot\\ directory.
+
+These logs can be used to figure out which Platform Configuration Register (PCR) got changed resulting into Bitlocker recovery and also figure out what all events were measured into a particular PCR helping us to explain why that PCR changed in the first place.
+
+## Install TBSLogGenerator
+
+You can follow the same steps and thereby use the same tool (TBSLogGenerator.exe) so as to decode the Measured Boot logs collected from pre-Windows 10 machine(s) as well.
+
+Install Hardware Lab Kit—Controller + Studio on a Windows Server 2016 machine which has TPM enabled and ready for use. You can also install HLK on a W2K16 Gen 2 Hyper-V VM as we could make use of the virtual TPM. You can also install HLK on a W2K16 Gen 2 Hyper-V VM as we could make use of the virtual TPM.
+
+1. Download the Windows Hardware Lab Kit from one of the following locations:
+
+   - [Windows Hardware Lab Kit](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/)
+   - Direct Download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
+
+1. Accept the default installation path.
+
+   ![](./images/ts-tpm-1.png)
+
+1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
+
+   ![](./images/ts-tpm-2.png)
+
+1. Finish the installation.
+
+## Use TBSLogGenerator to decode Measured Boot logs
+
+1. Once installed, launch an elevated command prompt and navigate to the following directory: C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb
+
+   This directory contains a tool named as TBSLogGenerator.exe, which is going to be used to decode the Measured Boot logs.
+
+   ![](./images/ts-tpm-3.png)
+
+1. Run the following command:
+   ```cmd
+   TBSLogGenerator.exe -LF <directory which contains the Measuredboot log to be decoded>\<name of the log>.log > <Target directory where the decoded file should be placed>\<name of the file>.txt
+   ```
+
+   For example, in the following screenshot, the MeasuredBoot logs have been collected from a target Windows 10 machine and placed in the C:\\MeasuredBoot\\ directory. I have executed the command as follows so as to decode the **0000000005-0000000000.log** file:
+
+    ```cmd
+    TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
+    ```
+
+   ![](./images/ts-tpm-4.png)
+
+   After the command finishes, you will get a text file with the name specified. As per the above screenshot it is **0000000005-0000000000.txt**  in the same directory where the original .log file is present.
+
+   ![](./images/ts-tpm-5.png)
+
+1. Open this **0000000005-0000000000.txt** file and you should see something like below:
+
+   ![](./images/ts-tpm-6.png)
+
+1. If you go to the end of the text file, you will see the PCR info.
+
+   ![](./images/ts-tpm-7.png)

windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md

@@ -0,0 +1,213 @@
+---
+title: Intune: Troubleshoot BitLocker enforcement
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+# Intune: Troubleshoot BitLocker enforcement
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/4502051>
+
+On the portal, you should see the Bitlocker encryption failing as shown here:
+
+![](./images/4509189_en_1.png)
+
+Reasons for failure can be many. The best place to start looking for error reason is the event viewer **Applications and Services log** > **Windows** > **Bitlocker API**.
+
+The following sections provide more information about resolving the following events and error messages:
+
+- [Event ID 853: TPM not available](#issue-1)
+- [Event ID 853: Bootable media detected](#issue-2)
+- [Event ID 854: WinRE not configured](#issue-3)
+- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4)
+- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5)
+- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6)
+- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7)
+
+For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
+
+## <a id="issue-1"></a>Event ID 853: TPM not available
+
+![](./images/4509190_en_1.png)
+
+### Cause
+
+Device may not have a TPM chip or it might be disabled from BIOS
+
+### Resolution
+
+TPM needs to be enabled in BIOS and you can check the TPM status running tpm.msc from Run. TPM needs to be in ready state (TPM version 2.0)
+
+## <a id="issue-2"></a>Event ID 853: Bootable media detected
+
+![](./images/4509191_en_1.png)
+
+### Cause
+
+During BitLocker and TPM provisioning, the platform takes into account any additional removable media connected to the system as the normal platform verification parameters.
+
+As such if BitLocker provisioning continues with removable media being attached to the device, on absence of those media drives, it would prompt for the BitLocker Recovery as the platform verification will detect changes in parameters.
+
+Windows 10 takes care of this situation and does not starts the BitLocker provisioning if it detects that additional removable media is connected.
+
+### Resolution
+
+Remove the bootable media and restart. Check the encryption status post restart.
+
+## <a id="issue-3"></a>Event ID 854: WinRE not configured
+
+![](./images/4509192_en_1.png)
+
+### Cause
+
+Windows Recovery Environment (WinRE) is the minimal OS based on Windows Preinstallation Environment (WinPE) which includes a number of tools to recover, reset and diagnose Windows.
+
+If the main OS doesn’t boot on some reason, the computer tries to run WinRE.
+
+In case of Silent Bitlocker Encryption, Bitlocker encryption is enabled on OS drive while Windows is still in Pre Boot Environment (Win PE). This is to protect the OS drive contents.
+
+As such it is necessary to have WinRE (Recovery Environment) enabled so that Windows can be recovered in any system crash issues.
+
+During Windows 10 installation, Windows automatically creates a system partition for recovery.
+
+### Resolution
+
+Check if WinRE is enabled. Run the command **reagentc /info** on an elevated command prompt:
+
+![](./images/4509193_en_1.png)
+
+If disabled, to fix this issue or configure WinRE, you need to run command **reagentc /enable** in administrative command prompt.
+
+> [!IMPORTANT]
+> This command will work only if you did not made any changes to the system partitions as created by Windows in default. Windows 10 during installation by default creates a recovery partition (499MB) which will contain the Winre.wim file:
+> ![](./images/4509194_en_1.png)
+
+Running the **diskpart \> list volume** command will show you the volumes as created on the hard drive. If you see that Volume 1 status is not healthy, you are out of luck and would require to re-install Windows:
+
+![](./images/4509195_en_1.png)
+
+If the partition status is heathy, but running the **reagentc /enable** command gives you an error, you can go and check the BCD entry if Windows Boot Loader contains the recovery sequence GUID by running **bcdedit /enum all**.
+
+![](./images/4509196_en_1.png)
+
+In the list of boot variants, find the Windows Boot Loader section with **identifier={current}**. The GUID value of the **recoverysequence** attribute should be unique and not a string of zeros.
+
+BCD config is out of Intune scope so I will not dig into it.
+
+## <a id="issue-4"></a>Event ID 851: Contact manufacturer for BIOS upgrade
+
+![](./images/4509197_en_1.png)
+
+### Cause
+
+Silent Bitlocker Encryption requires UEFI BIOS as it does not supports BIOS in legacy mode. Check the BIOS mode by using msinfo32.
+
+![](./images/4509198_en_1.png)
+
+### Resolution
+
+You need to enable UEFI BIOS by booting to BIOS if your device supports EFI/UEFI. If your device only supports legacy BIOS, then you are out of luck.
+
+## <a id="issue-5"></a>Error message: Conflicting Group Policy settings for recovery options on operating system drives
+
+You receive a message that resembles the following:
+
+> Error: BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
+
+### Resolution
+
+You need to get rid of the conflicting GPO.
+
+## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
+
+You receive a message that resembles the following:
+
+> Error: BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client.
+
+### Cause
+
+Check to see if the system TPM supports PCR \[7\] and is used by BitLocker/Device Encryption. Run the command **Manage-bde -protectors -get %systemdrive%**.
+
+![](./images/4509199_en_1.png)
+
+If PCR validation profile doesn't show that BitLocker uses Secure Boot for integrity validation (for example, PCR validation profile says PCR 0, 2, 4, 11), this indicates that BitLocker cannot use PCR \[7\] which is a requirement for silent encryption.
+
+![](./images/4509200_en_1.png)
+
+### Resolution
+
+Ensure Secure Boot is enabled in UEFI settings. Run **msinfo32** to check:
+
+![](./images/4509201_en_1.png)
+
+However if you see something like below, your device does not have support:
+
+![](./images/4509202_en_1.png)
+
+## Verifying that BitLocker is operating correctly
+
+![](./images/4509203_en_1.png)
+
+![](./images/4509204_en_1.png)
+
+You can also verify if the Bitlocker Recovery Key has been uploaded to Azure by checking the device details from under Azure AD devices section.
+
+![](./images/4509205_en_1.png)
+
+Registry path to verify the Bitlocker policy as delivered to the device: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
+
+![](./images/4509206_en_1.png)
+
+The registry path **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device** will contain all the policy as received/enforced by the MDM
+
+## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a
+
+When deploying Intune Policy to encrypt the device and store the recovery key into Azure Active Directory might fail with Error 0x80072f9a on Windows 10 1809, after enabling the option **Allow standard users to enable encryption during Azure AD Join**.
+
+Checking the event viewer, Bitlocker API Log, you will see the following events:
+
+> Event ID:846
+> 
+> Event:
+> 
+> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
+> 
+> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
+> 
+> Error: Unknown HResult Error code: 0x80072f9a
+> 
+> \------------------------------------------------------------------------------
+
+> Event ID:778
+> 
+> Event: The BitLocker volume C: was reverted to an unprotected state.
+> 
+> \------------------------------------------------------------------------
+
+> Event ID: 851
+> 
+> Event:
+> 
+> Failed to enable Silent Encryption.
+> 
+> Error: Unknown HResult Error code: 0x80072f9a.
+> 
+The issue affects Windows v1809, and this is because the BitLocker MDM policy Refresh fails with an access denied when impersonating the logged on Azure AD user on the PCPKEY file i.e. Private Key for the cert used for Azure AD Communication.
+
+### Cause
+
+The logged on user does not have permission to read the private key on the certificate that is generated during joining the Azure AD
+
+### Resolution
+
+In order to resolve this issue please install [kb4497934](https://support.microsoft.com/en-us/help/4497934/windows-10-update-kb4497934)

windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md

@@ -0,0 +1,93 @@
+---
+title: BitLocker Network Unlock known issues
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+# BitLocker Network Unlock--known issues
+
+Use BitLocker without entering a PIN at startup
+
+The most recommended way would be to use the “Network Unlock” feature using which the device could be unlocked remotely without user intervention.
+
+For general guidelines about how to troubleshoot Network Unlock, see [Troubleshoot Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock)
+
+<a id="list"></a>
+
+- [Surface: Bitlocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack](#scenario-1)
+- [Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer](#scenario-2)
+- [Unable to use Bitlocker Network Unlock feature on Windows client computer](#scenario-4)
+
+## <a id="scenario-1"></a>Surface: Bitlocker Network unlock does not work on Surface Pro 4 device due to incorrect configuration of UEFI network stack
+
+### Symptom
+
+Bitlocker Network unlock was configured as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock).
+
+UEFI is set for DHCP, however, when booting a prompt for the PIN is still shown.
+
+Testing with another device (HP Elite X2 tablet) we could conclude that the Bitlocker Network unlock configuration is correct.
+
+### Cause
+
+Very likely network stack was not configured correctly.
+
+### Resolution
+
+SEMM is required to enable the network stack, it is not visible in the UI. Otherwise, setting network as the first boot option will also allow network stack loading in the UEFI if we cannot use SEMM.
+
+For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/en-us/surface/enroll-and-configure-surface-devices-with-semm)
+
+[Back to list](#list)
+
+## <a id="scenario-2"></a>Tip: Detect programmatically whether BitLocker Network Unlock is enabled on a specific computer
+
+Applies for both x64 and x32 UEFI systems.
+
+Detect the following values:
+
+- Registry entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1**
+- A Network Unlock protector (key protector of type **TpmCertificate (9)**) exists on the boot volume
+- A registry entry exists in the **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** subkey that matches the name of the certificate thumbprint of the Network Unlock protector
+
+[Back to list](#list)
+
+## <a id="scenario-4"></a>Unable to use Bitlocker Network Unlock feature on Windows client computer
+
+From [A Windows 8-based client computer does not use the BitLocker Network Unlock feature](https://internal.support.services.microsoft.com/en-us/help/2891694/a-windows-8-based-client-computer-does-not-use-the-bitlocker-network-u)
+
+On a Windows 8-based client computer, you are prompted to enter the BitLocker PIN to start Windows. This occurs even though the computer is connected through an Ethernet cable to the physical corporate LAN and the BitLocker Network Unlock feature is enabled and implemented.
+
+### Cause
+
+A Windows 8-based or Windows Server 2012-based client computer sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
+
+Any message that is received by a DHCP server that includes a DHCP message option type 51 is assumed to have been sent by a DHCP client. Messages that do not have the DHCP Message Type option are assumed to have been sent by a BOOTP client.
+
+- The DHCP DISCOVER\REQUEST that is sent by the BitLocker Network Unlock client in its first two requests has the Message Type option. This means that the requests are DHCP protocol based.  
+- The DHCP request (that is, the third request) that is sent by client does not have the Message Type option. This means that the request is BOOTP protocol based.
+
+A DHCP server that supports BOOTP clients must interact with BOOTP clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (That is, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.)
+
+The server marks a binding for a BOOTP client as BOUND after the server sends the BOOTP BOOTREPLY message. A non-DHCP client will not send a DHCPREQUEST message, nor will that client expect a DHCPACK message.
+
+DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions.
+
+This means that as long as a DHCP server supports BOOTP clients, the DHCP server will reply to BOOTP requests.
+
+If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
+
+### Resolution
+
+To resolve this issue, turn off the BOOTP option on the DHCP server, log on to the DHCP server, and then change the DHCP option from DHCP and BOOTP to DHCP
+
+[Back to list](#list)

windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md

@@ -0,0 +1,271 @@
+---
+title: Troubleshoot BitLocker recovery scenarios
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+# Troubleshoot BitLocker recovery scenarios
+
+<a id="list"></a>
+
+- [Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key](#scenario-1)
+- [](#scenario-2)
+- ["Manage-bde -forcerecovery" command is unsupported for testing recovery mode on tablet devices](#scenario-3)
+- [Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device](#scenario-4)
+- [Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000](#scenario-5)
+- [Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000](#scenario-6)
+- [Intune: Troubleshooting BitLocker enforcement](#scenario-7)
+
+## <a id="scenario-1"></a>Windows 10 asks for a BitLocker recovery key even though you did not set up a recovery key
+
+### Symptom
+
+Windows 10 prompts you for a BitLocker recovery key. However, you have not configured a BitLocker recovery key.
+
+### Resolution
+
+The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses two situations that may produce this symptom, and provides information about how to resolve the issue:
+
+- [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain)
+- [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup)
+
+[Back to list](#list)
+
+## <a id="scenario-2"></a>Scenario 2
+
+We have a Windows 10 Home laptop which is being used by one onsite engineers. He is in California and spilled Coffee in his laptop on Wednesday. The laptop will not work but the hard drive is good. When we hook it up to a docking station, it asks us for a bit locker encryption key to access the drive. Whomever used the laptop before must have turned on bit locker. We have no way of knowing the bit locker password. We need the data in My Documents. It is a SSD drive and is in good condition.
+
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**.
+
+[Back to list](#list)
+
+## <a id="scenario-3"></a>"Manage-bde -forcerecovery" command is unsupported for testing recovery mode on tablet devices
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/3119451/manage-bde-forcerecovery-command-is-unsupported-for-testing-recovery-m>
+
+### Symptoms
+
+Assume that you have a tablet or slate device, and you're trying to test the recovery method by running the following command:
+
+```cmd
+Manage-bde -forcerecovery
+```
+
+However, when you enter the recovery password, your device goes into a no-boot state.
+
+> [!NOTE]
+> Running **manage-bde -forcerecovery** is not supported on tablet devices.
+
+### Cause
+
+This issue occurs because boot manager cannot handle touch input during pre-boot time. If boot manager detects that the machine profile is for a tablet or slate device, it redirects to the Windows Recovery Environment (WinRE), which can handle touch input. WinRE then performs a PCR reseal if the TPM protector on the disk is present. If the **manage-bde -forcerecovery** command is used, the TPM protectors are deleted. Therefore, WinRE cannot reseal the PCRs. This triggers an infinite BitLocker recovery cycle, and therefore you can't boot to Windows.
+
+This behavior is by design for all versions of Windows.
+
+> [!NOTE]
+> This issue may occur on any Windows 8-based tablet device, not just on Surface devices.
+
+### Resolution
+
+To resolve this issue, follow these steps:
+
+1. On the BitLocker recovery screen, select **Skip this drive**.
+1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
+1. Enter the following commands in the Command Prompt window:
+   ```cmd
+   manage-bde –unlock C: -rp <48-digit numerical recovery key>
+   manage-bde -protectors -disable C:
+   ```
+1. Exit the command prompt.
+1. Shut down the device.
+   When you restart the device, Windows should start.
+
+[Back to list](#list)
+
+## <a id="scenario-4"></a>Prompted for BitLocker recovery key after installing updates to Surface UEFI or TPM firmware on Surface device
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/4057282/bitlocker-recovery-key-prompt-after-surface-uefi-tpm-firmware-update>
+
+### Symptoms
+
+You encounter one or more of the following symptoms on your Surface device:
+
+- At startup, you are prompted for your BitLocker recovery key, and you enter the correct recovery key, but Windows doesn’t start up.
+- You boot directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
+- Your Surface device appears to be in an infinite restart loop.
+
+### Cause
+
+This behavior can occur in the following scenario:
+
+1. BitLocker is enabled and configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11, for example when:
+
+   - Secure Boot is turned off.
+   - PCR values have been explicitly defined, such as by Group Policy.
+
+1. You install a firmware update that updates the firmware of the device TPM or changes the signature of the system firmware. For example, you install the Surface dTPM (IFX) update.
+
+> [!NOTE]
+> You can verify the PCR values that are in use on a device by running the following command from an elevated command prompt:
+> ```cmd
+> manage-bde.exe -protectors -get \<OSDriveLetter\>:
+> ```
+
+> [!NOTE]
+> PCR 7 is a requirement for devices that support Connected Standby (also known as InstantGO or Always On, Always Connected PCs), including Surface devices. On such systems, if the TPM with PCR 7 and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. For more information see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://technet.microsoft.com/library/jj679890\(v=ws.11\).aspx?#About%20the%20Platform%20Configuration%20Register%20\(PCR\)).
+
+### Workarounds
+
+#### Method 1: Suspend BitLocker during TPM or UEFI firmware updates
+
+You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying updates to TPM or UEFI firmware by using [Suspend-BitLocker](https://technet.microsoft.com/library/jj649830\(v=wps.630\).aspx).
+
+> [!NOTE]
+> TPM and UEFI firmware updates may require multiple reboots during installation. So suspending BitLocker must be done through the [Suspend-BitLocker](https://technet.microsoft.com/library/jj649830\(v=wps.630\).aspx) cmdlet and using the Reboot Count parameter to specify a number of reboots greater than 2 to keep BitLocker suspended during the firmware update process. A Reboot Count of 0 will suspend BitLocker indefinitely, until BitLocker is resumed through the PowerShell cmdlet [Resume-BitLocker](https://technet.microsoft.com/library/jj649834\(v=wps.630\).aspx) or another mechanism.
+
+To suspend BitLocker for installation of TPM or UEFI firmware updates:
+
+1. Open an administrative PowerShell session.
+1. Enter the following cmdlet and press Enter:  
+   ```ps
+   Suspend-BitLocker -MountPoint "*C*:" -RebootCount 0  
+   ```
+   where *C:* is the drive assigned to your disk
+1. Install Surface device driver and firmware updates.
+1. Following successful installation of the firmware updates, resume BitLocker by using the [Resume-BitLocker](https://technet.microsoft.com/library/jj649834\(v=wps.630\).aspx) cmdlet as follows:  
+   ```ps
+   Resume-BitLocker -MountPoint "*C*:"
+   ```
+
+#### Method 2: Enable Secure Boot and restore default PCR values
+
+We strongly recommend that you restore the default and recommended configuration of Secure Boot and PCR values after BitLocker is suspended to prevent entering BitLocker Recovery when applying future updates to TPM or UEFI firmware.
+
+To enable Secure Boot on a Surface device that has BitLocker enabled:
+
+1. Suspend BitLocker by using the Suspend-BitLocker cmdlet as described in Method 1.
+1. Boot your Surface device to UEFI by using one of the methods defined in [Using Surface UEFI on Surface Laptop, new Surface Pro, Surface Studio, Surface Book, and Surface Pro 4](https://support.microsoft.com/help/4023531/surface-using-surface-uefi-on-surface-laptop--new-surface-pro--surface).
+1. Select the Security section.
+1. Click Change Configuration under "Secure Boot."
+1. Select Microsoft Only and click OK.
+1. Select Exit, and then Restart to reboot the device.
+1. Resume BitLocker by using the Resume-BitLocker cmdlet as described in Method 1.
+
+To change the PCR values used to validate BitLocker Drive Encryption:
+
+1. Disable any Group Policies that configure PCR, or remove the device from any groups where such policies apply. See "Deployment Options" at [BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521\(v=ws.10\).aspx#BKMK_deployment) for more information.
+1. Suspend BitLocker by using the Suspend-BitLocker cmdlet as described in Method 1.
+1. Resume BitLocker by using the Resume-BitLocker cmdlet as described in Method 1.
+
+#### Method 3: Remove protectors from the boot drive
+
+If you have installed a TPM or UEFI update and your device is unable to boot, even when the correct BitLocker Recovery Key is entered, you can restore the ability to boot by using the BitLocker recovery key and a Surface recovery image to remove the BitLocker protectors from the boot drive.
+
+To remove the protectors from the boot drive by using your BitLocker recovery key:
+
+1. Obtain your BitLocker recovery key from [go.microsoft.com/fwlink/p/?LinkId=237614](http://go.microsoft.com/fwlink/p/?LinkId=237614), or if BitLocker is managed by other means such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator.
+1. From another computer, download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage) and create a USB recovery drive.
+1. Boot from the USB Surface recovery image drive.
+1. Select your operating system language when you are prompted.
+1. Select your keyboard layout.
+1. Select Troubleshoot.
+1. Select Advanced Options.
+1. Select Command Prompt.
+1. Run the following commands:  
+   ```cmd
+   manage-bde -unlock -recoverypassword *\<password\> C*:  
+   manage-bde -protectors -disable *C*:  
+   ```
+   where *C:* is the drive assigned to your disk and *\<password\>* is your BitLocker recovery key as obtained in step 1.  
+   > [!NOTE]
+   > For more information about using this command, see the Microsoft Docs article [Manage-bde: unlock](https://technet.microsoft.com/library/ff829854\(v=ws.11\).aspx).
+1. Reboot the computer.
+1. When you are prompted, enter your BitLocker recovery key as obtained in step 1.
+
+> [!NOTE]
+> After disabling the BitLocker protectors from your boot drive, your device will no longer be protected by BitLocker Drive Encryption. You can re-enable BitLocker by selecting Start, typing Manage BitLocker and pressing Enter to launch the BitLocker Drive Encryption Control Panel applet and following the steps to encrypt your drive.
+
+#### Method 4: Recover data and reset your device with Surface Bare Metal Recovery (BMR)
+
+To recover data from your Surface device if you are unable to boot into Windows:
+
+1. Obtain your BitLocker recovery key from <https://go.microsoft.com/fwlink/p/?LinkId=237614>, or if BitLocker is managed by other means such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator.
+1. From another computer, download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage) and create a USB recovery drive.
+1. Boot from the USB Surface recovery image drive.
+1. Select your operating system language when you are prompted.
+1. Select your keyboard layout.
+1. Select Troubleshoot.
+1. Select Advanced Options.
+1. Select Command Prompt.
+1. Run the following command:  
+   ```cmd
+   manage-bde -unlock *-*recoverypassword *\<password\> C*:  
+   ```
+   where *C:* is the drive assigned to your disk and *\<password\>* is your BitLocker recovery key as obtained in step 1
+1. After the drive is unlocked, use copy or xcopy commands to copy the user data to another drive.  
+   > [!NOTE]
+   > For more information about the these commands, see the [Windows Command Line Reference](https://technet.microsoft.com/library/cc771254\(v=ws.11\).aspx).
+
+To reset your device by using a Surface recovery image: Follow the instructions in  "How to reset your Surface using your USB recovery drive" at [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
+
+[Back to list](#list)
+
+## <a id="scenario-5"></a>Some devices running Windows 10 with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000
+
+Reference: <https://internal.support.services.microsoft.com/en-us/help/4505821/some-devices-running-windows-10-with-hyper-v-enabled-may-start-into-bi>
+
+### Symptoms
+
+After installing an affected update and restarting, some devices running Windows 10, Version 1703, Windows 10, version 1607 or Windows Server 2016 with Hyper-V enabled may enter BitLocker recovery mode and receive an error, "0xC0210000".
+
+### Workaround
+
+If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE) using the following steps:
+
+1. Retrieve the 48-digit BitLocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when BitLocker was first enabled.
+1. From the recovery screen, press the enter key and enter the recovery password when prompted.
+1. If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
+1. Select Advanced options then Troubleshoot then Advanced options then Command Prompt.
+1. Unlock drive by using the following command: 
+   ```cmd
+   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
+   ```
+1. Suspend BitLocker by using the following command:  
+   ```cmd
+   Manage-bde -protectors -disable c:
+   ```
+1. Exit the command window using the command: `exit`
+1. Select Continue from recovery environment.
+1. The device should now start Windows.  
+1. Once started, launch an elevated Command Prompt (i.e. run Command Prompt as administrator) and resume the BitLocker to ensure the system remains protected, using the command: `Manage-bde -protectors -enable c:`  
+
+> [!IMPORTANT]
+> The steps in this workaround need to be followed on every system start unless BitLocker is suspended before restarting.**
+
+To prevent this issue, execute the following command to temporarily suspend BitLocker just before restarting the system: 
+   ```cmd
+   Manage-bde -protectors -disable c: -rc 1
+   ```
+
+> [!NOTE]
+> This command will suspend BitLocker for one restart of the device (`-rc 1` option only works inside OS and does not work from recovery environment).
+
+
+{check update KBs--WA no longer needed with updates?}
+This issue is now resolved for all platforms in the following updates:  
+
+- [KB4507450](https://internal.support.services.microsoft.com/en-us/help/4507450) LCU for Windows 10, version 1703.
+- [KB4507460](https://internal.support.services.microsoft.com/en-us/help/4507460) LCU for Windows 10, version 1607 and Windows Server 2016.
+
+[Back to list](#list)
+

windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md

@@ -0,0 +1,224 @@
+---
+title: BitLocker and TPM known issues
+description: 
+ms.reviewer: 
+ms.prod: w10
+ms.sitesec: library
+ms.localizationpriority: medium
+author: Teresa-Motiv
+ms.author: v-tea
+manager: kaushika
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 9/19/2019
+---
+
+
+
+# BitLocker and TPM--known issues
+
+[Troubleshoot the TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm)
+
+<a id="list"></a>
+
+- [](#scenario-1)
+- [](#scenario-2)
+
+## Scenario 1
+
+
+### Symptom: The TPM is defending against dictionary attacks and is in a time-out period (specific to AAD)
+
+Not able to acquire a PRT can lead to various issues
+
+- Windows Hello for business not working
+- Conditional access failing
+- SSO not working.
+
+On the client machine collect the output of DSREGCMD /STATUS, under User state or SSO State look for AzureAdPrt, if the Value is "NO" then the user did not get a PRT. One of the reason the PRT was not issued is the Device authentication failed. The device was not able to present it's certificate for some reason.
+
+> Log Name: System  
+> Source: Microsoft-Windows-TPM-WMI  
+> Date: \<Date and Time\>  
+> Event ID: 1026  
+> Task Category: None  
+> Level: Information  
+> Keywords:  
+> User: SYSTEM  
+> Computer: \<Computer name\>  
+> Description:  
+> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
+> Error: The TPM is defending against dictionary attacks and is in a time-out period.  
+> Additional Information: 0x840000  
+>  
+
+#### Resolution
+
+The above events are indicating the TPM is not ready or has some setting that is preventing from accessing the TPM keys.
+
+Launch TPM.MSC and see if you get the option to unlock the TPM or reset the lockout. If not then the only option is to initialize the TPM. Before you do this,
+
+1. Check the BIOS settings for TPM for any setting to reset the lockout or disable it.
+
+1. Have the customer engage the hardware vendor on getting this fixed.
+
+Initializing the TPM or clearing the TPM might break other applications like bitlocker. if customer is not using bitlocker or no other service depends on TPM the below steps can be followed to clear the TPM
+
+To clear / reset the TPM:  
+
+1. Open the Windows Defender Security Center app.
+
+1. Click Device security.
+
+1. Click Security processor details.
+
+1. Click Security processor troubleshooting.
+
+1. Click Clear TPM.
+
+   You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.  
+
+
+### EST/WIN8.1/ Unable to enable Bitlocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
+
+Unable to enable Bitlocker ,getting error msg "The TPM is defending against dictionary attacks and is in a time-out period." on Surface pro 3 named "{NAMEPII}-8744853".
+
+### Cause
+
+TPM Lockout
+
+### Resolution
+
+open Powershell as Admin $Tpm = Get-WmiObject -class Win32\_Tpm -namespace "root\\CIMv2\\Security\\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} - Reboot - if prompted at boot screen agree with F12 - Try again to configure Bitlocker (we use some scripts, but the GUI is also ok J)
+
+### PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period
+
+[PTSMEDEP\PRE\W8.1\unable to enable bitlocker with error The TPM is defending against dictionary attacks and is in a time-out period.](https://internal.support.services.microsoft.com/en-us/help/4327939)
+
+This Surface Pro 3 was shipped with Windows 10 and reimaged with Windows 8.1.  Bitlocker can not be enabled.
+The TPM on this computer is currently locked out.
+
+Classification Path: Routing Surface Pro\Software Issues (Windows 8.1)\BitLocker or device encryption
+
+### Resolution
+
+When we tried to Prepare the TPM using tpm.msc console of the Surface Pro 3, we received the error "The TPM is defending against dictionary attacks and is in a time-out period." We rebooted into BIOS, disabled TPM and when we booted into OS, the tpm.msc showed “Compatible Trusted Platform Module (TPM) cannot be found on this computer. verify that this computer has 1.2 TPM and its is turned on in the BIOS “ We then booted into BIOS, enabled the TPM and then we found that it required us to clear the existing TPM keys and rebooted. Now, we were able to successfully prepare the TPM and the TPM state was “ready for use”. Now, we started the encryption on OS drive with TPM protector and the encryption was successful.
+
+## Scenario 2: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
+
+Reference: [https://internal.support.services.microsoft.com/en-us/help/4313961](https://internal.support.services.microsoft.com/en-us/help/4313961)
+
+### Symptom
+
+You are not able to view the TPM management console on your Windows 10 v1703 machine. Error message/code: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY The device that is required by this cryptographic provider is not ready for use.TPM Spec version: TPM v1.2Firmware type: {Namepii}OS: Windows 10 Enterprise v1703 Build 15063.540System Name: {NAMEPII}-5510System Model: {Namepii} Inc. Precision 5510
+
+### Cause (suspected)
+
+Hardware/firmware issues within TPM.
+
+### Resolution
+
+Recommended action plan: After consulting with the TPM feature team, We advised you to test this out on a different device of the same model. Apart from that we also suggested you to switch the TPM operation mode to Spec v1.2 to v2.0 and check if the issue continues to occur.Current status: As of now, you have reached out to {Namepii} to get the mainboard on the device replaced by 18th August. Post that you will be changing the operation mode of TPM to 2.0 to see if that resolves the problem. Since we don’t have any active troubleshooting plan we are closing this case temporarily for now and we will re-engage on 10 AM EST 26th Sept. to discuss this issue further. I will be sending you a meeting invite for the same.
+
+
+
+## Scenario 3: Troubleshooting hybrid Azure Active Directory joined devices failure due to TPM
+
+Reference: [https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
+
+### Symptom: 
+
+Get the device status to see if the device is Hybrid Joined or failed to Hybrid Join. Execute the command **DSREGCMD /STATUS **
+
+If the device is Hybrid Joined the following will be set:
+
+- **AzureAdJoined: YES**
+- **DomainName: \<on-prem Domain name\>**
+
+If AzureAdJoined is set to **NO** then the device is not Hybrid Azure AD Joined.
+
+### Cause
+
+Windows operating system is not the owner of the TPM
+
+#### Error 1: NTE\_BAD\_KEYSET (0x80090016/-2146893802)  
+ 
+- **Reason:** TPM operation failed or was invalid
+
+- **Resolution:** Likely due to a bad sysprep image. Ensure the machine from which the sysprep image was created is not Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
+
+Reference: [https://internal.support.services.microsoft.com/en-us/help/4467030](https://internal.support.services.microsoft.com/en-us/help/4467030)
+
+#### Error 2: TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)
+
+- **Reason:** Generic TPM error.
+
+- **Resolution:** Disable TPM on devices with this error. Windows 10 version 1809 and higher automatically detects TPM failures and completes hybrid Azure AD join without using the TPM.
+
+#### Error 3: TPM\_E\_NOTFIPS (0x80280036/-2144862154)
+
+- **Reason:** TPM in FIPS mode not currently supported.
+
+- **Resolution:** Disable TPM on devices with this error. Windows 1809 automatically detects TPM failures and completes hybrid Azure AD join without using the TPM.
+
+#### Error 4: NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)
+
+- **Reason:** TPM locked out.
+
+- **Resolution:** Transient error. Wait for the cooldown period. Join attempt after some time should succeed. More Information can be found in the article [TPM fundamentals](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#anti-hammering)
+
+## Scenario 4: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
+
+
+### Symptom: 
+Unable to backup TPM Information to ADDS.
+
+### Cause
+
+Insufficient permissions for SELF on TPM Devices Container.
+
+### Resolution  
+
+1. Problem - LDAP trace between client and DC to find cause of ACCESS DENIED error 0x80070005 - 12/20/2016 12:52 AM
+
+Errors seen in the LDAP traces : ldap\_modify call for CN=TestOU,CN=TPM Devices,DC=XYZ,DC=com which is failing with Insufficient Rights.
+
+1. Run following command to identify the TPM Attributes :
+
+Get-ADComputer -Filter {Name -like "TPMTest"} -Property 1. | Format-Table name,msTPM-TPMInformationForComputer TPMTest – Is the name of my test computer which has the attribute filled.
+
+1. Provided proper permissions of SELF:
+
+Reference: [https://internal.support.services.microsoft.com/en-us/help/4337282](https://internal.support.services.microsoft.com/en-us/help/4337282)
+
+## Scenario 5: 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
+
+Reference: [https://internal.support.services.microsoft.com/en-us/help/4319021](https://internal.support.services.microsoft.com/en-us/help/4319021)
+
+Support Topic: Routing Windows V3\Group Policy\Managing BitLocker configuration through Group Policy
+
+### Symptom: 
+
+We have already run the adprep as mention when we did a upgrade to our domain a while ago.
+
+We have GPO setup for storing the keys and tpm info as well.
+
+Prepare the TPM gives error:
+
+> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
+
+
+
+### Cause
+
+Add-TPMSelfWriteACE.vbs {available?}
+
+### Resolution
+
+DC: Windows Server 2012 r2. The attributes include ms-TPM-OwnerInformation and msTPM-TpmInformationForComputer are present.
+
+We noticed that he had not added the self-write permissions for the computer objects. So, we downloaded the script Add-TPMSelfWriteACE.vbs and modified the value of strPathToDomain to your domain.Post modification, ran Add-TPMSelfWriteACE.vbs and it ran successfully.We then discovered that the domain and forest functional level are still at 2008 R2 and we wanted to update them first Post updating the domain and forest functional level and setting the required permissions , he confirmed that he was able to successfully back up the TPM information to Active Directory without error : “0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled”.
+
+- [Back up the TPM Recovery Information to AD DS](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds)
+- [Prepare your organization for BitLocker: Planning and Policies](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies)