deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Edits

Browse Source
This commit is contained in:
Teresa-Motiv 2019-10-18 16:12:31 -07:00
parent a89605e013
commit 96a586a9e4
1 changed files with 27 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
View File

@ -16,17 +16,17 @@ ms.date: 10/18/2019
# BitLocker and TPM: other known issues
This article describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues.
## Azure AD: Windows Hello for Business and single sign-on do not work
You have an Azure AD-joined client computer that cannot authenticate properly. You observe one or more of the following issues:
You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms:
- Windows Hello for business not working
- Conditional access failing
- SSO not working.
- Windows Hello for Business does not work.
- Conditional access fails.
- Single sign-on (SSO) does not work.
Additionally, the computer logs event ID 1026, which resembles the following:
Additionally, the computer logs an entry for Event ID 1026, which resembles the following:
> Log Name: System
> Source: Microsoft-Windows-TPM-WMI
@ -46,66 +46,64 @@ Additionally, the computer logs event ID 1026, which resembles the following:
This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys.
Additionally, the observed behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token).
Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token).
### Resolution
To verify the status of the PRT, use the [dsregcmd /status utility](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the utility output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, then the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
To verify the status of the PRT, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication.
To resolve this issue, use the following steps to troubleshoot the TPM:
To resolve this issue, follow these steps to troubleshoot the TPM:
1. Open the TPM management console (tpm.msc). To do this, select **Start**, and in the **Search** box, type **tpm.msc**, and then press **Enter**.
1. If you see a prompt to either unlock the TPM or reset the lockout, follow those instructions.
1. If you do not see such a prompt, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
1. Engage the hardware vendor to find out if there is a known fix for the issue.
1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.
1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
1. Contact the hardware vendor to determine whether there is a known fix for the issue.
1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](https://docs.microsoft.com/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#clear-all-the-keys-from-the-tpm).
> [!WARNING]
> Clearing the TPM can result in data loss.
> Clearing the TPM can cause data loss.
## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use
You have a Windows 10 version 1703 computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
You have a Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following:
> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
> The device that is required by this cryptographic provider is not ready for use.
> TPM Spec version: TPM v1.2
On a different device that's running the same version of Windows, you can open the TPM management console.
On a different device that is running the same version of Windows, you can open the TPM management console.
### Cause (suspected)
These symptoms indicate hardware or firmware issues within the TPM.
These symptoms indicate that the TPM has hardware or firmware issues.
### Resolution
To resolve this issue, use the following steps to troubleshoot the TPM:
To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.
1. Switch the TPM operating mode from version 1.2 to version 2.0.
1. If the preceding action does not resolve the issue, consider replacing the device motherboard.
1. After replacing the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
## Devices fail to join hybrid Azure AD because of a TPM issue
## Devices do not join hybrid Azure AD because of a TPM issue
You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail.
To verify whether the join succeeded, use the [dsregcmd /status utility](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the utility output, the following attributes indicate that the join succeeded:
To verify that the join succeeded, use the [dsregcmd /status command](https://docs.microsoft.com/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
- **AzureAdJoined: YES**
- **DomainName: \<*on-prem Domain name*\>**
If the value of **AzureADJoined** is **No**, then the join failed.
If the value of **AzureADJoined** is **No**, the join failed.
### Causes and Resolutions
This issue may result when the Windows operating system is not the owner of the TPM. The specific remedy for this issue depends on which errors or events you observe:
This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
|Message |Reason | Resolution|
| - | - | - |
|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined or registered with Azure AD or hybrid Azure AD. |
|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device gives this error, disable its TPM. Windows 10 version 1809 and newer automatically detects TPM failures and completes the hybrid Azure AD join without using the TPM. |
|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is not currently supported. |If the device gives this error, disable its TPM. Windows 10 version 1809 and newer automatically detects TPM failures and completes the hybrid Azure AD join without using the TPM. |
|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then try the join operation again. |
|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. |
|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
For more information about TPM issues, see the following articles: