Various fixes for consistent and reliable layout

2025-06-05 17:17:22 +00:00 · 2021-09-30 19:08:57 -07:00 · 2021-09-30 19:08:57 -07:00 · 836f00b3ba
commit 836f00b3ba
parent e11578a51d
3 changed files with 73 additions and 11 deletions
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@ -86,13 +86,13 @@ To use TBSLogGenerator, follow these steps:

   ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)

-The content of this text file resembles the following.
-
-![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
-
-To find the PCR information, go to the end of the file.
-
-![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
+   The content of this text file resembles the following.
+    
+   ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
+    
+   To find the PCR information, go to the end of the file.
+    
+   ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)

 ## Use PCPTool to decode Measured Boot logs

@ -117,4 +117,4 @@ where the variables represent the following values:

 The content of the XML file resembles the following.

-![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg)
+:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@ -20,7 +20,7 @@ ms.custom: bitlocker

 This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.

-![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png)
+:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::

 To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:

@ -122,6 +122,7 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win
 ```console
 reagentc /info
 ```
+
 The output of this command resembles the following.

 ![Output of the reagentc /info command.](./images/4509193-en-1.png)
@ -142,7 +143,7 @@ bcdedit /enum all

 The output of this command resembles the following.

-![Output of the bcdedit /enum all command.](./images/4509196-en-1.png)
+:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::

 In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.

@ -163,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B
 To verify the BIOS mode, use the System Information app. To do this, follow these steps:

 1. Select **Start**, and enter **msinfo32** in the **Search** box.
+
 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
+
   ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
+
 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
+
   > [!NOTE]
   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.

@ -187,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an

 To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:

-```cmd
+```console
 Manage-bde -protectors -get %systemdrive%
 ```

@ -204,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc
 To verify the Secure Boot state, use the System Information app. To do this, follow these steps:

 1. Select **Start**, and enter **msinfo32** in the **Search** box.
+
 1. Verify that the **Secure Boot State** setting is **On**, as follows:  
+
   ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
+
 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
+
   ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)

 > [!NOTE]
 > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
+>
 > ```ps
 > PS C:\> Confirm-SecureBootUEFI
 > ```
+>
 > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."  
 >  
 > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."  
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows.
 To resolve the restart loop, follow these steps:

 1. On the BitLocker Recovery screen, select **Skip this drive**.
+
 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
+
 1. In the Command Prompt window, run the following commands:
+
   ```console
   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
   manage-bde -protectors -disable C:
+
   ```
+
 1. Close the Command Prompt window.
+
 1. Shut down the device.
+
 1. Start the device. Windows should start as usual.

 ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if
 To do this, follow these steps:

 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
+
 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
+
 1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
+
 1. When you are prompted, select the following items:
+
   1. Your operating system language.
+
   1. Your keyboard layout.
+
 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
+
 1. In the Command Prompt window, run the following commands:  
+
   ```console
   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
   manage-bde -protectors -disable <DriveLetter>:  
+
   ```
+
   In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+
   > [!NOTE]
   > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
+
 1. Restart the computer.
+
 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.

 > [!NOTE]
@ -155,11 +175,15 @@ To do this, follow these steps:
 To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:

 1. At the command prompt, run the following command:  
+
   ```console
   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
   ```
+
   In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
+
 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  
+
   > [!NOTE]
   > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
  
@ -172,13 +196,19 @@ To prevent this issue from recurring, we strongly recommend that you restore t
 To enable Secure Boot on a Surface device, follow these steps:

 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+
   ```powershell
   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
   ```
+
   In this command, <*DriveLetter*> is the letter that is assigned to your drive.
+
 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
+
 1. Restart the device.
+
 1. Open an elevated PowerShell window, and run the following cmdlet:  
+
   ```powershell
   Resume-BitLocker -MountPoint "<DriveLetter>:"
   ```
@ -186,16 +216,22 @@ To enable Secure Boot on a Surface device, follow these steps:
 To reset the PCR settings on the TPM, follow these steps:

 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
+
   For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
+
 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
+
   ```powershell
   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
   ```
   
   where <*DriveLetter*> is the letter assigned to your drive.
+
 1. Run the following cmdlet:  
+
   ```powershell
   Resume-BitLocker -MountPoint "<DriveLetter>:"
+   ```

 #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates

@ -209,12 +245,18 @@ You can avoid this scenario when you install updates to system firmware or TPM f
 To suspend BitLocker while you install TPM or UEFI firmware updates:

 1. Open an elevated Windows PowerShell window, and run the following cmdlet:
+
   ```powershell
   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
+
   ```
+
   In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
+
 1. Install the Surface device driver and firmware updates.
+
 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:  
+
   ```powershell
   Resume-BitLocker -MountPoint "<DriveLetter>:"
   ```
@ -230,10 +272,15 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v
 If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:

 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
+
 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
+
 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
+
 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
+
 1. In the Command Prompt window, run the following commands:
+
   ```console
   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
   Manage-bde -protectors -disable c:
@ -241,10 +288,14 @@ If your device is already in this state, you can successfully start Windows afte
   ```
   
   These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
+
   > [!NOTE]
   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
+
 1. Select **Continue**. Windows should start.
+
 1. After Windows has started, open an elevated Command Prompt window and run the following command:
+
   ```console
   Manage-bde -protectors -enable c:
   ```