From 30c0c15ff56689ca8ebf030116472141ba4d5c69 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 12:58:01 +0530 Subject: [PATCH 01/13] Update ts-bitlocker-decode-measured-boot-logs.md --- .../ts-bitlocker-decode-measured-boot-logs.md | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 3e2cdad741..61a705e835 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -16,25 +16,25 @@ ms.date: 10/17/2019 ms.custom: bitlocker --- -# Decode Measured Boot logs to track PCR changes +# Decode measured boot logs to track PCR changes -Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode. +Platform configuration registers (PCRs) are memory locations in the trusted platform module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific changes in PCRs can cause a device or computer to enter BitLocker recovery mode. -By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. +By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or can learn why a device or computer entered BitLocker recovery mode. The measured boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder. This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. -For more information about Measured Boot and PCRs, see the following articles: +For more information about measured boot and PCRs, see the following articles: - [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) - [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices) -## Use TBSLogGenerator to decode Measured Boot logs +## Use TBSLogGenerator to decode measured boot logs -Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: +Use TBSLogGenerator to decode measured boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: - A computer that is running Windows Server 2016 and that has a TPM enabled -- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) +- A gen-2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) To install the tool, follow these steps: @@ -43,15 +43,15 @@ To install the tool, follow these steps: - [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/) - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112) -1. Accept the default installation path. +2. Accept the default installation path. ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png) -1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. +3. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**. ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png) -1. Finish the installation. +4. Finish the installation. To use TBSLogGenerator, follow these steps: @@ -67,12 +67,12 @@ To use TBSLogGenerator, follow these steps: TBSLogGenerator.exe -LF \.log > \.txt ``` where the variables represent the following values: - - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - - \<*LogFileName*> = the name of the file to be decoded - - \<*DestinationFolderName*> = the name of the folder for the decoded text file - - \<*DecodedFileName*> = the name of the decoded text file + - \<*LogFolderName*> = The name of the folder that contains the file to be decoded + - \<*LogFileName*> = The name of the file to be decoded + - \<*DestinationFolderName*> = The name of the folder for the decoded text file + - \<*DecodedFileName*> = The name of the decoded text file - For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: + For example, the following figure shows measured boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: ```cmd TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt @@ -92,9 +92,9 @@ To find the PCR information, go to the end of the file. ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) -## Use PCPTool to decode Measured Boot logs +## Use PCPTool to decode measured boot logs -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file. +PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a measured boot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. @@ -104,10 +104,10 @@ PCPTool.exe decodelog \.log > = the path to the folder that contains the file to be decoded -- \<*LogFileName*> = the name of the file to be decoded -- \<*DestinationFolderName*> = the name of the folder for the decoded text file -- \<*DecodedFileName*> = the name of the decoded text file +- \<*LogFolderPath*> = The path to the folder that contains the file to be decoded +- \<*LogFileName*> = The name of the file to be decoded +- \<*DestinationFolderName*> = The name of the folder for the decoded text file +- \<*DecodedFileName*> = The name of the decoded text file The content of the XML file resembles the following. From 78f2669a0ea26c1355f904132484eff0d749a44a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 16:00:21 +0530 Subject: [PATCH 02/13] Update ts-bitlocker-intune-issues.md --- .../bitlocker/ts-bitlocker-intune-issues.md | 89 ++++++++++--------- 1 file changed, 45 insertions(+), 44 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 895c4eec13..8c24276e8f 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -37,7 +37,7 @@ If you do not have a clear trail of events or error messages to follow, other ar - [Review the hardware requirements for using Intune to manage BitLocker on devices](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements) - [Review your BitLocker policy configuration](#policy) -For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). +For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). ## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer @@ -47,7 +47,7 @@ Event ID 853 can carry different error messages, depending on the context. In th ### Cause -The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM. +The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. ### Resolution @@ -68,9 +68,9 @@ In this case, you see event ID 853, and the error message in the event indicates ### Cause -During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. +During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. -To avoid this situation, the provisioning process stops if it detects removable bootable media. +To avoid this situation, the provisioning process stops if it detects a removable bootable media. ### Resolution @@ -88,7 +88,7 @@ The event information resembles the following: Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE. -The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. +The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. If WinRE is not available on the device, provisioning stops. @@ -98,11 +98,11 @@ You can resolve this issue by verifying the configuration of the disk partitions #### Step 1: Verify the configuration of the disk partitions -The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following. +The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following: ![Default disk partitions, including the recovery partition](./images/4509194-en-1.png) -To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: +To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands: ``` diskpart @@ -110,7 +110,7 @@ list volume ``` ![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png) -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). +If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager): ![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg) @@ -121,7 +121,7 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win ```cmd reagentc /info ``` -The output of this command resembles the following. +The output of this command resembles the following: ![Output of the reagentc /info command](./images/4509193-en-1.png) @@ -133,13 +133,13 @@ reagentc /enable #### Step 3: Verify the Windows Boot Loader configuration -If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: +If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: ```cmd bcdedit /enum all ``` -The output of this command resembles the following. +The output of this command resembles the following: ![Output of the bcdedit /enum all command](./images/4509196-en-1.png) @@ -155,18 +155,18 @@ The event information resembles the following: ### Cause -The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS. +The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS. ### Resolution -To verify the BIOS mode, use the System Information app. To do this, follow these steps: +To verify the BIOS mode, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. +2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png) -1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. +3. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] - > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. + > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device. ## Error message: The UEFI variable 'SecureBoot' could not be read @@ -176,11 +176,11 @@ You receive an error message that resembles the following: ### Cause -A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on. +A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on. ### Resolution -You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps: +You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps: #### Step 1: Verify the PCR validation profile of the TPM @@ -190,40 +190,41 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t Manage-bde -protectors -get %systemdrive% ``` -In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. +In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows: ![Output of the manage-bde command](./images/4509199-en-1.png) -If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. +If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on. ![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png) -#### 2. Verify the Secure Boot state +#### 2. Verify the secure boot state -To verify the Secure Boot state, use the System Information app. To do this, follow these steps: +To verify the secure boot state, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. -1. Verify that the **Secure Boot State** setting is **On**, as follows: +2. Verify that the **Secure Boot State** setting is **On**, as follows: ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png) -1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. +> [!NOTE] +> If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker encryption on this device. ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) > [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` -> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." +> If the computer supports secure boot and secure boot is enabled, this cmdlet returns "True." > -> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." +> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False." > > If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform." ## Event ID 846, 778, and 851: Error 0x80072f9a -In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809 device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. +In this case, you are deploying Intune policy to encrypt a Windows 10, version 1809, device and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. -The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): +The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): > Event ID:846 > @@ -250,13 +251,13 @@ These events refer to Error code 0x80072f9a. These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails. -The issue affects Windows 10 version 1809. +The issue affects Windows 10, version 1809. ### Resolution To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update. -## Error message: There are conflicting Group Policy settings for recovery options on operating system drives +## Error message: There are conflicting group policy settings for recovery options on operating system drives You receive a message that resembles the following: @@ -264,13 +265,13 @@ You receive a message that resembles the following: ### Resolution -To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). +To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN). ## Review your BitLocker policy configuration -For information about how to use policy together with BitLocker and Intune, see the following resources: +For information about the procedure to use policy together with BitLocker and Intune, see the following resources: - [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#managing-devices-joined-to-azure-active-directory) - [BitLocker Group Policy Reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)?redirectedfrom=MSDN) @@ -282,13 +283,13 @@ For information about how to use policy together with BitLocker and Intune, see Intune offers the following enforcement types for BitLocker: -- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.) -- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.) -- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.) +- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10, version 1703, and later versions.) +- **Silent** (Endpoint protection policy. This option is available in Windows 10, version 1803, and later versions.) +- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10, version 1803.) -If your device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. +If your device runs Windows 10, version 1703, or later versions; supports Modern Standby (also known as Instant Go); and is HSTI-compliant, joining the device to Azure AD triggers an automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. -If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: +If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following: ![Intune policy settings](./images/4509186-en-1.png) @@ -303,18 +304,18 @@ The OMA-URI references for these settings are as follows: Value: **0** (0 = Blocked, 1 = Allowed) > [!NOTE] -> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. +> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10, version 1809, or later versions, you can use an endpoint protection policy to enforce silent BitLocker device encryption even if the device is not HSTI-compliant. > [!NOTE] -> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard. +> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard. -If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard. +If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker drive encryption. To do this, the user selects the notification. This action launches the BitLocker drive encryption wizard. The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements: - Be HSTI-compliant - Support Modern Standby -- Use Windows 10 version 1803 or later +- Use Windows 10, version 1803, or later versions ![Intune policy setting](./images/4509188-en-1.png) @@ -325,11 +326,11 @@ The OMA-URI references for these settings are as follows: Value: **1** > [!NOTE] -> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles. +> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. ## Verifying that BitLocker is operating correctly -During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. +During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845. ![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png) From fdbc304e6491fd28919ebcdbf618523fb382bcdb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 17:16:50 +0530 Subject: [PATCH 03/13] Update ts-bitlocker-network-unlock-issues.md --- .../ts-bitlocker-network-unlock-issues.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index b5882849d0..1751050bc3 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -18,20 +18,20 @@ ms.custom: bitlocker # BitLocker Network Unlock: known issues -By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements: +By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, you have to configure your environment to meet the following requirements: - Each computer belongs to a domain - Each computer has a wired connection to the corporate network - The corporate network uses DHCP to manage IP addresses - Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware -For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). +For general guidelines about the procedure to troubleshoot network unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#troubleshoot-network-unlock). -This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues. +This article describes several known issues that you may encounter when you use network unlock feature, and provides guidance to address these issues. -## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer +## Tip: Detect whether BitLocker network unlock is enabled on a specific computer -You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands. +You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands: 1. Open an elevated Command Prompt window and run the following command: @@ -40,15 +40,15 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy ``` where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock. + If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. 1. Start Registry Editor, and verify the following settings: - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1** - - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1. + - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. -## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured +## On a Surface Pro 4 device, BitLocker network unlock does not work because the UEFI network stack is incorrectly configured -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. @@ -61,28 +61,28 @@ The UEFI network stack on the device was incorrectly configured. To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](https://docs.microsoft.com/surface/enroll-and-configure-surface-devices-with-semm). > [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option. +> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. -## Unable to use BitLocker Network Unlock feature on a Windows client computer +## Unable to use BitLocker network unlock feature on a Windows client computer -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. ### Cause -A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. +A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP or WDS server. DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: -- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. +- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. These messages use the Message Type option; therefore, the DHCP server treats them as DHCP messages. +- The third message that the BitLocker network unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message. If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. -For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) +For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) ### Resolution From 15fafb67b421cad79c666afbfba2f0f8876c6484 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Sep 2020 18:46:24 +0530 Subject: [PATCH 04/13] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 112 +++++++++--------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index b9d677c092..cc10bde567 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -18,7 +18,7 @@ ms.custom: bitlocker # BitLocker recovery: known issues -This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues. +This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. > [!NOTE] > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bitlocker-key-protectors). @@ -29,14 +29,14 @@ Windows 10 prompts you for a BitLocker recovery password. However, you did not c ### Resolution -The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue: +The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue: - [What if BitLocker is enabled on a computer before the computer has joined the domain?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) - [What happens if the backup initially fails? Will BitLocker retry the backup?](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq#what-happens-if-the-backup-initially-fails-will-bitlocker-retry-the-backup) ## The recovery password for a laptop was not backed up, and the laptop is locked -You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. +You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker driver encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. ### Resolution @@ -57,7 +57,7 @@ You can use either of the following methods to manually back up or synchronize a ## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode -You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: +You have a tablet or slate device, and you try to test BitLocker recovery by running the following command: ```cmd Manage-bde -forcerecovery @@ -70,7 +70,7 @@ However, after you enter the recovery password, the device cannot start. > [!IMPORTANT] > Tablet devices do not support the **manage-bde -forcerecovery** command. -This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input. +This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. @@ -80,20 +80,20 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: -1. On the BitLocker Recovery screen, select **Skip this drive**. -1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : +1. On the **BitLocker Recovery** screen, select **Skip this drive**. +2. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. +3. In the Command Prompt window, run the following commands : ```cmd manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: ``` -1. Close the Command Prompt window. -1. Shut down the device. -1. Start the device. Windows should start as usual. +4. Close the Command Prompt window. +5. Shut down the device. +6. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password -You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. +You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. You experience one or more of the following symptoms on the Surface device: @@ -105,14 +105,14 @@ You experience one or more of the following symptoms on the Surface device: This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way: -- Secure Boot is turned off. -- PCR values have been explicitly defined, such as by Group Policy. +- Secure boot is turned off. +- PCR values have been explicitly defined, such as by group policy. -Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). +Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and secure boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). ### Resolution -To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: +To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command: ```cmd manage-bde.exe -protectors -get : @@ -129,25 +129,25 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. -1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. -1. Insert the USB Surface recovery image drive into the Surface device, and start the device. -1. When you are prompted, select the following items: +2. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. +3. Insert the USB Surface recovery image drive into the Surface device, and start the device. +4. When you are prompted, select the following items: 1. Your operating system language. - 1. Your keyboard layout. -1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: + 2. Your keyboard layout. +5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. +6. In the Command Prompt window, run the following commands: ```cmd manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : ``` In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. > [!NOTE] - > For more information about how to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock). -1. Restart the computer. -1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. + > For more information about the procedure to use this command, see [manage-bde: unlock](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-unlock). +7. Restart the computer. +8. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] -> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. #### Step 2: Use Surface BMR to recover data and reset your device @@ -158,41 +158,41 @@ To recover data from your Surface device if you cannot start Windows, follow ste manage-bde -unlock -recoverypassword : ``` In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. -1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. +2. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. > [!NOTE] - > For more information about the these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands). + > For more information about these commands, see the [Windows commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands). 1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512). #### Step 3: Restore the default PCR values -To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values. +To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values. -To enable Secure Boot on a Surface device, follow these steps: +To enable secure boot on a Surface device, follow these steps: -1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: +1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` In this command, <*DriveLetter*> is the letter that is assigned to your drive. -1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. -1. Restart the device. -1. Open an elevated PowerShell window, and run the following cmdlet: +2. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. +3. Restart the device. +1. Open an elevated PowerShell window and run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: -1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. +1. Disable any group policy objects (GPOs) that configure the PCR settings, or remove the device from any groups that enforce such policies. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings). -1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: +2. Suspend BitLocker. To do this, open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. -1. Run the following cmdlet: +3. Run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" @@ -201,38 +201,38 @@ To reset the PCR settings on the TPM, follow these steps: You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. > [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: -> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes. -> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. +> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: +> - **2** or greater: This value sets the number of times the device can restart before BitLocker device encryption resumes. +> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. To suspend BitLocker while you install TPM or UEFI firmware updates: -1. Open an elevated Windows PowerShell window, and run the following cmdlet: +1. Open an elevated Windows PowerShell window and run the following cmdlet: ```ps Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. -1. Install the Surface device driver and firmware updates. -1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: + In this cmdlet, <*DriveLetter*> is the letter that is assigned to your drive. +2. Install the Surface device driver and firmware updates. +3. After you install the firmware updates, restart the computer, open an elevated PowerShell window and then run the following cmdlet: ```ps Resume-BitLocker -MountPoint ":" ``` -To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. ## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000 -You have a device that runs Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000. +You have a device that runs Windows 10, version 1703; Windows 10, version 1607; or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker recovery mode and you see error code 0xC0210000. ### Workaround If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: -1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. -1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. -1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. -1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. -1. In the Command Prompt window, run the following commands: +1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker drive encryption was first turned on. +2. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. +3. If your device starts in WinRE and prompts you for the recovery password again, select **Skip the drive**. +4. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. +5. In the Command Prompt window, run the following commands: ```cmd Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: @@ -243,7 +243,7 @@ If your device is already in this state, you can successfully start Windows afte > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. 1. Select **Continue**. Windows should start. -1. After Windows has started, open an elevated Command Prompt window and run the following command: +2. After Windows has started, open an elevated Command Prompt window and run the following command: ```cmd Manage-bde -protectors -enable c: ``` @@ -262,11 +262,11 @@ Manage-bde -protectors -disable c: -rc 1 To resolve this issue, install the appropriate update on the affected device: - For Windows 10, version 1703: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450) -- For Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460) +- For Windows 10, version 1607, and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460) ## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000 -You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following. +You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the device uses [Virtualization-based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](https://docs.microsoft.com/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time you start the device, the device enters BitLocker recovery mode and you see error code 0xc0210000, and a message that resembles the following: > Recovery > @@ -279,7 +279,7 @@ You have a device that uses TPM 1.2 and runs Windows 10, version 1809. Also, the ### Cause -TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines) +TPM 1.2 does not support secure launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection\#requirements-met-by-system-guard-enabled-machines) For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) @@ -287,5 +287,5 @@ For more information about this technology, see [Windows Defender System Guard: To resolve this issue, do one of the following: -- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch. +- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch. - Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. From a8236c15b87cfb90d9229f9375d90316eba7c272 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 15 Oct 2020 12:16:55 +0530 Subject: [PATCH 05/13] Update ts-bitlocker-intune-issues.md --- .../bitlocker/ts-bitlocker-intune-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 8c24276e8f..2f62005f82 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -210,7 +210,7 @@ To verify the secure boot state, use the System Information application. To do t ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png) > [!NOTE] -> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: +> You can also use the [Confirm-SecureBootUEFI](https://docs.microsoft.com/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps&preserve-view=true) cmdlet to verify the secure boot state. To do this, open an elevated PowerShell window and run the following command: > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` From 7ed055f997bcb462e7ac621641c8b2353d31c040 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 15 Oct 2020 12:29:18 +0530 Subject: [PATCH 06/13] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index cc10bde567..37adca3971 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -201,9 +201,9 @@ To reset the PCR settings on the TPM, follow these steps: You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates. > [!IMPORTANT] -> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps) and set the **Reboot Count** parameter to either of the following values: +> TPM and UEFI firmware updates may require multiple restarts while they are being installed. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values: > - **2** or greater: This value sets the number of times the device can restart before BitLocker device encryption resumes. -> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps) or another mechanism to resume protection. +> - **0**: This value suspends BitLocker drive encryption indefinitely, until you use [Resume-BitLocker](https://docs.microsoft.com/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection. To suspend BitLocker while you install TPM or UEFI firmware updates: From 8ea73725e7a950a549d4fa92116812114e84dc2d Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 16 Oct 2020 14:50:58 +0530 Subject: [PATCH 07/13] Reviewed ts-bitlocker-decode-measured-boot-logs.md --- .../ts-bitlocker-decode-measured-boot-logs.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 61a705e835..a0f7da5771 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -24,12 +24,12 @@ By tracking changes in the PCRs, and identifying when they changed, you can gain This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool. -For more information about measured boot and PCRs, see the following articles: +For more information about MeasuredBoot and PCRs, see the following articles: -- [TPM fundamentals: Measured Boot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) +- [TPM fundamentals: MeasuredBoot with support for attestation](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-fundamentals#measured-boot-with-support-for-attestation) - [Understanding PCR banks on TPM 2.0 devices](https://docs.microsoft.com/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices) -## Use TBSLogGenerator to decode measured boot logs +## Use TBSLogGenerator to decode MeasureBoot logs Use TBSLogGenerator to decode measured boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems: @@ -72,7 +72,7 @@ To use TBSLogGenerator, follow these steps: - \<*DestinationFolderName*> = The name of the folder for the decoded text file - \<*DecodedFileName*> = The name of the decoded text file - For example, the following figure shows measured boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: + For example, the following figure shows MeasuredBoot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: ```cmd TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt @@ -92,9 +92,9 @@ To find the PCR information, go to the end of the file. ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png) -## Use PCPTool to decode measured boot logs +## Use PCPTool to decode MeasuredBoot logs -PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a measured boot log file and converts it into an XML file. +PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a MeasuredBoot log file and converts it into an XML file. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. From 9b61c2e883b2c8840e6a9a8c36630602e14629e9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 18 Nov 2020 07:41:09 -0800 Subject: [PATCH 08/13] Update ts-bitlocker-recovery-issues.md --- .../bitlocker/ts-bitlocker-recovery-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index 37adca3971..f7f20840c5 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -36,7 +36,7 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ address situation ## The recovery password for a laptop was not backed up, and the laptop is locked -You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker driver encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. +You have a Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker drive encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password. ### Resolution From 696e55d78b343158e8af3c9181be5b8d5873eeb2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:23:14 +0530 Subject: [PATCH 09/13] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index f62bc8b545..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From ae5936aa3076b87b3e6bf9fe1a91de5cd6d92aaa Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:38:52 +0530 Subject: [PATCH 10/13] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From de7b847792b57aaa51278e47f26143199fc0cf2d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:43:43 +0530 Subject: [PATCH 11/13] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From a6732e6caec9fc6611eb25aa9a878bc6dbf1d97d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 10:49:02 +0530 Subject: [PATCH 12/13] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index f62bc8b545..6d53e36d70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From c9599777d2e848423946e3fd1b4aa449a1f751e4 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 10 Jun 2022 17:08:58 +0530 Subject: [PATCH 13/13] fixed suggestion --- .../bitlocker/bitlocker-basic-deployment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index e76c7e5c7b..1e29149153 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -115,7 +115,6 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes |Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7| - |--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|